Threat actor · all actors
Ember BearG1003 state
🇷🇺 RU
aka Ember Bear, UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, UAC-0056, SaintBear, TA471, Nascent Ursa, Nodaria, Storm-0587, DEV-0587, Saint Bear, Lorec53, Lorec Bear
Last updated: 2026-07-03
About this actor
[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) [Ember Bear](https://attack.mitre.org/groups/G1003) conducted the [WhisperGate](https://attack.mitre.org/software/S0689) destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: CISA GRU29155 2024) There is some confusion as to whether [Ember Bear](https://attack.mitre.org/groups/G1003) overlaps with another Russian-linked entity referred to as [Saint Bear](https://attack.mitre.org/groups/G1031). At present available evidence strongly suggests these are distinct activities with different behavioral profiles.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
- 2022 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2022-27666 | 5.5 | 7.8 | 0.0552 | 2022-03-23 | see CVE |
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
T1003T1003.001T1003.002T1003.004T1005T1018T1021T1036T1036.005T1046T1047T1053T1053.005T1059T1059.001T1070T1070.004T1071T1071.004T1078T1078.001T1090T1090.003T1095T1110T1110.003T1112T1114T1119T1125T1133T1190T1195T1203T1210T1491T1491.002T1505T1505.003T1550T1550.002T1552T1552.001T1560T1561T1561.002T1567T1567.002T1570T1571T1572T1583T1583.003T1585T1588T1588.001T1588.005T1595T1595.001T1595.002T1654
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 43 / 61 | 70% |
AC-3 | 39 / 61 | 64% |
CM-2 | 37 / 61 | 61% |
CM-6 | 37 / 61 | 61% |
AC-6 | 36 / 61 | 59% |
AC-2 | 29 / 61 | 48% |
SI-3 | 29 / 61 | 48% |
CA-7 | 28 / 61 | 46% |
CM-7 | 26 / 61 | 43% |
AC-5 | 23 / 61 | 38% |
IA-2 | 22 / 61 | 36% |
AC-4 | 21 / 61 | 34% |
SI-7 | 21 / 61 | 34% |
SC-7 | 20 / 61 | 33% |
CM-5 | 18 / 61 | 30% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- SolarWinds Compromise 1 shared CVEs
- APT38 1 shared CVEs
- Tonto Team 1 shared CVEs
- GOLD SOUTHFIELD 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- APT28 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
- FIN7 1 shared CVEs
Similar actors
Similar TTPs
- C0032 0.29
- SharePoint ToolShell Exploitation 0.28
- GALLIUM 0.28
- Dragonfly 0.28
- Operation Wocao 0.27
Active in same years
- APT29 2.00
- Threat Group-3390 2.00
- Sandworm Team 2.00
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
Same nation-state
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00