Trusted Design

Ember Bear

G1003 · MITRE Pageへのリンク

脅威アクターの詳細

[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) [Ember Bear](https://attack.mitre.org/groups/G1003) conducted the [WhisperGate](https://attack.mitre.org/software/S0689) destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: CISA GRU29155 2024) There is some confusion as to whether [Ember Bear](https://attack.mitre.org/groups/G1003) overlaps with another Russian-linked entity referred to as [Saint Bear](https://attack.mitre.org/groups/G1031). At present available evidence strongly suggests these are distinct activities with different behavioral profiles.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

別名・別称

Ember Bear
UNC2589
Bleeding Bear
DEV-0586
Cadet Blizzard
Frozenvista
UAC-0056

利用した攻撃手法

• T1053.005 - Scheduled Task
• T1047 - Windows Management Instrumentation
• T1583 - Acquire Infrastructure
• T1003 - OS Credential Dumping
• T1561.002 - Disk Structure Wipe
• T1491.002 - External Defacement
• T1133 - External Remote Services
• T1114 - Email Collection
• T1003.002 - Security Account Manager
• T1071.004 - DNS
• T1036.005 - Match Legitimate Resource Name or Location
• T1003.004 - LSA Secrets
• T1119 - Automated Collection
• T1005 - Data from Local System
• T1195 - Supply Chain Compromise
• T1190 - Exploit Public-Facing Application
• T1036 - Masquerading
• T1572 - Protocol Tunneling
• T1560 - Archive Collected Data
• T1021 - Remote Services
• T1595.002 - Vulnerability Scanning
• T1112 - Modify Registry
• T1505.003 - Web Shell
• T1078.001 - Default Accounts
• T1003.001 - LSASS Memory
• T1110.003 - Password Spraying
• T1125 - Video Capture
• T1588.001 - Malware
• T1583.003 - Virtual Private Server
• T1552.001 - Credentials In Files
• T1654 - Log Enumeration
• T1059.001 - PowerShell
• T1210 - Exploitation of Remote Services
• T1090.003 - Multi-hop Proxy
• T1110 - Brute Force
• T1562.001 - Disable or Modify Tools
• T1571 - Non-Standard Port
• T1203 - Exploitation for Client Execution
• T1567.002 - Exfiltration to Cloud Storage
• T1570 - Lateral Tool Transfer
• T1095 - Non-Application Layer Protocol
• T1585 - Establish Accounts
• T1070.004 - File Deletion
• T1595.001 - Scanning IP Blocks
• T1018 - Remote System Discovery
• T1046 - Network Service Discovery
• T1550.002 - Pass the Hash
• T1588.005 - Exploits

関連するCVE (攻撃手法に関連)

• CVE-2014-4114 (T1203)
• CVE-2017-0143 (T1588.005)
• CVE-2016-2343 (T1003.002)
• CVE-2016-6532 (T1110)
• CVE-2015-5119 (T1203)
• CVE-2015-5122 (T1018)
• CVE-2015-1427 (T1505.003)
• CVE-2015-1770 (T1203)
• CVE-2012-1856 (T1203)
• CVE-2015-2545 (T1562.001)
• CVE-2015-2546 (T1562.001)
• CVE-2014-6332 (T1203)
• CVE-2015-3785 (T1562.001)
• CVE-2015-5897 (T1562.001)
• CVE-2015-7645 (T1203)
• CVE-2017-0199 (T1203)
• CVE-2017-12149 (T1654)
• CVE-2015-3043 (T1018)
• CVE-2015-3090 (T1203)
• CVE-2015-3113 (T1203)
• CVE-2015-2590 (T1210)
• CVE-2015-2424 (T1190)
• CVE-2015-0097 (T1190)
• CVE-2015-4495 (T1203)
• CVE-2012-0158 (T1203)
• CVE-2014-1761 (T1588.005)
• CVE-2015-2502 (T1203)
• CVE-2014-6271 (T1046)
• CVE-2013-2094 (T1190)
• CVE-2014-4113 (T1562.001)
• CVE-2015-8562 (T1595.001)
• CVE-2015-7808 (T1095)
• CVE-2012-1889 (T1003.002)
• CVE-2016-1990 (T1003.002)
• CVE-2016-1991 (T1095)
• CVE-2016-1010 (T1595.001)
• CVE-2016-0984 (T1562.001)
• CVE-2016-1001 (T1203)
• CVE-2016-0998 (T1595.001)
• CVE-2015-1641 (T1588.005)
• CVE-2015-1701 (T1562.001)
• CVE-2015-0313 (T1203)
• CVE-2015-0359 (T1588.005)
• CVE-2014-0329 (T1550.002)
• CVE-2015-5130 (T1588.005)
• CVE-2015-5134 (T1588.005)
• CVE-2015-5539 (T1588.005)
• CVE-2015-5557 (T1588.005)
• CVE-2015-5563 (T1588.005)
• CVE-2015-5559 (T1588.005)
• CVE-2015-5540 (T1588.005)
• CVE-2015-5561 (T1588.005)
• CVE-2015-5551 (T1588.005)
• CVE-2015-5564 (T1595.001)
• CVE-2015-5565 (T1588.005)
• CVE-2015-5550 (T1588.005)
• CVE-2015-5566 (T1588.005)
• CVE-2015-5127 (T1588.005)
• CVE-2015-5556 (T1588.005)
• CVE-2015-5749 (T1552.001)
• CVE-2015-3628 (T1203)
• CVE-2015-2852 (T1203)
• CVE-2015-2854 (T1095)
• CVE-2015-2853 (T1203)
• CVE-2015-7755 (T1203)
• CVE-2012-4969 (T1203)
• CVE-2016-1287 (T1588.005)
• CVE-2015-6585 (T1552.001)
• CVE-2015-7261 (T1552.001)
• CVE-2015-6022 (T1552.001)
• CVE-2015-7262 (T1552.001)
• CVE-2015-8286 (T1190)
• CVE-2015-8287 (T1203)
• CVE-2016-1562 (T1562.001)
• CVE-2016-2342 (T1588.005)
• CVE-2017-0263 (T1562.001)
• CVE-2016-9494 (T1562.001)
• CVE-2016-9496 (T1550.002)
• CVE-2016-9495 (T1203)
• CVE-2017-3212 (T1562.001)
• CVE-2025-61882 (T1003.002)
• CVE-2015-0311 (T1203)
• CVE-2010-3081 (T1588.005)
• CVE-2012-3213 (T1203)
• CVE-2012-4792 (T1550.002)
• CVE-2012-1258 (T1550.002)
• CVE-2015-0336 (T1203)
• CVE-2014-3153 (T1203)
• CVE-2014-4322 (T1562.001)
• CVE-2015-3105 (T1203)
• CVE-2014-0497 (T1203)
• CVE-2014-8361 (T1203)
• CVE-2017-17215 (T1588.005)
• CVE-2013-0074 (T1588.005)
• CVE-2012-0507 (T1583.003)
• CVE-2013-2551 (T1203)
• CVE-2014-0569 (T1190)
• CVE-2014-0515 (T1203)
• CVE-2015-0310 (T1203)
• CVE-2012-4681 (T1588.005)
• CVE-2014-1776 (T1203)
• CVE-2012-1876 (T1203)
• CVE-2015-0071 (T1203)
• CVE-2015-1761 (T1583.003)
• CVE-2014-8440 (T1018)
• CVE-2013-3660 (T1562.001)
• CVE-2010-0806 (T1588.005)
• CVE-2014-4148 (T1562.001)
• CVE-2011-3402 (T1562.001)
• CVE-2010-2883 (T1046)
• CVE-2014-7247 (T1203)
• CVE-2013-2678 (T1552.001)
• CVE-2010-0738 (T1654)
• CVE-2015-2426 (T1562.001)
• CVE-2008-1436 (T1585)
• CVE-2010-0232 (T1203)
• CVE-2010-4398 (T1550.002)
• CVE-2014-3393 (T1562.001)
• CVE-2012-6422 (T1562.001)
• CVE-2013-2595 (T1562.001)
• CVE-2014-3897 (T1003.002)
• CVE-2015-2387 (T1562.001)
• CVE-2011-1255 (T1203)
• CVE-2011-0611 (T1203)
• CVE-2013-5990 (T1203)
• CVE-2016-0189 (T1203)
• CVE-2017-7255 (T1018)
• CVE-2023-1389 (T1550.002)
• CVE-2025-24893 (T1550.002)
• CVE-2025-34026 (T1203)
• CVE-2026-0723 (T1003.002)
• CVE-2026-20127 (T1562.001)
• CVE-2016-1019 (T1190)
• CVE-2016-1898 (T1095)
• CVE-2016-1897 (T1095)
• CVE-2017-0261 (T1588.005)
• CVE-2017-0262 (T1018)
• CVE-2025-55182 (T1588.005)
• CVE-2015-0932 (T1552.001)
• CVE-2013-3906 (T1588.005)
• CVE-2012-0056 (T1190)
• CVE-2010-3333 (T1046)
• CVE-2015-3636 (T1562.001)
• CVE-2013-6282 (T1562.001)
• CVE-2017-16929 (T1552.001)
• CVE-2014-8439 (T1046)
• CVE-2014-0556 (T1562.001)
• CVE-2015-5560 (T1595.001)
• CVE-2012-2539 (T1588.005)
• CVE-2014-9163 (T1046)
• CVE-2012-1723 (T1190)
• CVE-2010-1297 (T1588.005)
• CVE-2010-2884 (T1562.001)
• CVE-2013-0634 (T1562.001)
• CVE-2015-4902 (T1210)
• CVE-2025-55183 (T1588.005)
• CVE-2025-55184 (T1588.005)
• CVE-2014-6352 (T1203)
• CVE-2015-0016 (T1203)
• CVE-2014-0322 (T1203)
• CVE-2015-0057 (T1562.001)
• CVE-2013-7331 (T1018)
• CVE-2015-2360 (T1562.001)
• CVE-2015-3456 (T1562.001)
• CVE-2012-0611 (T1203)
• CVE-2015-6034 (T1562.001)
• CVE-2015-6036 (T1552.001)
• CVE-2009-3129 (T1588.005)
• CVE-2025-31125 (T1552.001)
• CVE-2025-54313 (T1588.005)
• CVE-2025-68645 (T1046)
• CVE-2014-7911 (T1550.002)
• CVE-2014-6324 (T1562.001)
• CVE-2014-2273 (T1562.001)
• CVE-2025-13335 (T1571)
• CVE-2015-2419 (T1203)
• CVE-2016-4117 (T1203)
• CVE-2010-1553 (T1046)
• CVE-2015-5477 (T1550.002)
• CVE-2025-66478 (T1588.005)

Actor – Pulse グラフ

---

← 脅威アクター一覧に戻る