Threat Actor Profile
Description
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: CISA GRU29155 2024) There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (48)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Ember Bear',
'UNC2589',
'Bleeding Bear',
'DEV-0586',
'Cadet Blizzard',
'Frozenvista',
'UAC-0056'],
'created': '2022-06-09T14:49:57.704Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Ember Bear](https://attack.mitre.org/groups/G1003) is a '
'Russian state-sponsored cyber espionage group that has been '
"active since at least 2020, linked to Russia's General Staff "
'Main Intelligence Directorate (GRU) 161st Specialist Training '
'Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember '
'Bear](https://attack.mitre.org/groups/G1003) has primarily '
'focused operations against Ukrainian government and '
'telecommunication entities, but has also operated against '
'critical infrastructure entities in Europe and the '
'Americas.(Citation: Cadet Blizzard emerges as novel threat '
'actor) [Ember Bear](https://attack.mitre.org/groups/G1003) '
'conducted the '
'[WhisperGate](https://attack.mitre.org/software/S0689) '
'destructive wiper attacks against Ukraine in early '
'2022.(Citation: CrowdStrike Ember Bear Profile March '
'2022)(Citation: Mandiant UNC2589 March 2022)(Citation: CISA '
'GRU29155 2024) There is some confusion as to whether [Ember '
'Bear](https://attack.mitre.org/groups/G1003) overlaps with '
'another Russian-linked entity referred to as [Saint '
'Bear](https://attack.mitre.org/groups/G1031). At present '
'available evidence strongly suggests these are distinct '
'activities with different behavioral profiles.(Citation: '
'Cadet Blizzard emerges as novel threat actor)(Citation: Palo '
'Alto Unit 42 OutSteel SaintBot February 2022 )',
'external_references': [{'external_id': 'G1003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G1003'},
{'description': '(Citation: Cadet Blizzard emerges as '
'novel threat actor)',
'source_name': 'DEV-0586'},
{'description': '(Citation: Cadet Blizzard emerges as '
'novel threat actor)',
'source_name': 'Cadet Blizzard'},
{'description': '(Citation: CISA GRU29155 2024)',
'source_name': 'Frozenvista'},
{'description': '(Citation: CISA GRU29155 2024)',
'source_name': 'UAC-0056'},
{'description': '(Citation: CrowdStrike Ember Bear '
'Profile March 2022)',
'source_name': 'Bleeding Bear'},
{'description': '(Citation: Mandiant UNC2589 March '
'2022)',
'source_name': 'UNC2589'},
{'description': 'CrowdStrike. (2022, March 30). Who '
'is EMBER BEAR?. Retrieved June 9, '
'2022.',
'source_name': 'CrowdStrike Ember Bear Profile March '
'2022',
'url': 'https://www.crowdstrike.com/blog/who-is-ember-bear/'},
{'description': 'Microsoft Threat Intelligence. '
'(2023, June 14). Cadet Blizzard '
'emerges as a novel and distinct '
'Russian threat actor. Retrieved July '
'10, 2023.',
'source_name': 'Cadet Blizzard emerges as novel '
'threat actor',
'url': 'https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/'},
{'description': 'Sadowski, J; Hall, R. (2022, March '
"4). Responses to Russia's Invasion "
'of Ukraine Likely to Spur '
'Retaliation. Retrieved June 9, 2022.',
'source_name': 'Mandiant UNC2589 March 2022',
'url': 'https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation'},
{'description': 'Unit 42. (2022, February 25). Spear '
'Phishing Attacks Target '
'Organizations in Ukraine, Payloads '
'Include the Document Stealer '
'OutSteel and the Downloader '
'SaintBot. Retrieved June 9, 2022.',
'source_name': 'Palo Alto Unit 42 OutSteel SaintBot '
'February 2022 ',
'url': 'https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/'},
{'description': 'US Cybersecurity & Infrastructure '
'Security Agency et al. (2024, '
'September 5). Russian Military Cyber '
'Actors Target U.S. and Global '
'Critical Infrastructure. Retrieved '
'September 6, 2024.',
'source_name': 'CISA GRU29155 2024',
'url': 'https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf'}],
'id': 'intrusion-set--a7f57cc1-4540-4429-823f-f4e56b8473c9',
'modified': '2025-04-25T19:03:38.177Z',
'name': 'Ember Bear',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Hannah S'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '2.1'}