Cyber Resilience

Threat actor · all actors

Ember BearG1003 state

🇷🇺 RU

aka Ember Bear, UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, UAC-0056, SaintBear, TA471, Nascent Ursa, Nodaria, Storm-0587, DEV-0587, Saint Bear, Lorec53, Lorec Bear

Last updated: 2026-07-03

2attributed CVEs
61ATT&CK techniques
5.5IDF score (tooling uniqueness)
1exclusive CVEs
2022–2026years active

About this actor

[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) [Ember Bear](https://attack.mitre.org/groups/G1003) conducted the [WhisperGate](https://attack.mitre.org/software/S0689) destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: CISA GRU29155 2024) There is some confusion as to whether [Ember Bear](https://attack.mitre.org/groups/G1003) overlaps with another Russian-linked entity referred to as [Saint Bear](https://attack.mitre.org/groups/G1031). At present available evidence strongly suggests these are distinct activities with different behavioral profiles.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Source: MITRE ATT&CK

Activity timeline

Profile

CVERiskCVSSEPSSPublishedProducts
CVE-2022-27666 5.57.80.05522022-03-23see CVE
CVE-2026-20929 5.57.50.01142026-01-13see CVE

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-443 / 6170%
AC-339 / 6164%
CM-237 / 6161%
CM-637 / 6161%
AC-636 / 6159%
AC-229 / 6148%
SI-329 / 6148%
CA-728 / 6146%
CM-726 / 6143%
AC-523 / 6138%
IA-222 / 6136%
AC-421 / 6134%
SI-721 / 6134%
SC-720 / 6133%
CM-518 / 6130%

Co-occurring actors

Similar actors

Overlapping CVEs