CINXE.COM

Ember Bear, UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, UAC-0056, Group G1003 | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Ember Bear, UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, UAC-0056, Group G1003 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/groups/">Groups</a></li> <li class="breadcrumb-item">Ember Bear</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Ember Bear </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/groups/G1003">Ember Bear</a> is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> <a href="/groups/G1003">Ember Bear</a> has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> <a href="/groups/G1003">Ember Bear</a> conducted the <a href="/software/S0689">WhisperGate</a> destructive wiper attacks against Ukraine in early 2022.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022."data-reference="CrowdStrike Ember Bear Profile March 2022"><sup><a href="https://www.crowdstrike.com/blog/who-is-ember-bear/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022."data-reference="Mandiant UNC2589 March 2022"><sup><a href="https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> There is some confusion as to whether <a href="/groups/G1003">Ember Bear</a> overlaps with another Russian-linked entity referred to as <a href="/groups/G1031">Saint Bear</a>. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022."data-reference="Palo Alto Unit 42 OutSteel SaintBot February 2022 "><sup><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>G1003 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a group entry and may refer to the same or similar group in threat intelligence reporting">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Groups</span>: UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, UAC-0056 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors</span>: Hannah Simes, BT Security </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 2.0 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>09 June 2022 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>06 September 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G1003" href="/versions/v16/groups/G1003/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G1003" href="/versions/v16/groups/G1003/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Group Descriptions</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> UNC2589 </td> <td> <p><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022."data-reference="Mandiant UNC2589 March 2022"><sup><a href="https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> Bleeding Bear </td> <td> <p><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022."data-reference="CrowdStrike Ember Bear Profile March 2022"><sup><a href="https://www.crowdstrike.com/blog/who-is-ember-bear/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr> <td> DEV-0586 </td> <td> <p><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr> <td> Cadet Blizzard </td> <td> <p><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr> <td> Frozenvista </td> <td> <p><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr> <td> UAC-0056 </td> <td> <p><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK<sup>&reg;</sup> Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/groups/G1003/G1003-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/theme/images/external-site-dark.jpeg"></a> <script src="/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G1003/G1003-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1583">T1583</a> </td> <td> <a href="/techniques/T1583">Acquire Infrastructure</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> uses services such as IVPN, SurfShark, and Tor to add anonymization to operations.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1583/003">.003</a> </td> <td> <a href="/techniques/T1583/003">Virtual Private Server</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used virtual private servers (VPSs) to host tools, perform reconnaissance, exploit victim infrastructure, and as a destination for data exfiltration.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1595">T1595</a> </td> <td> <a href="/techniques/T1595/001">.001</a> </td> <td> <a href="/techniques/T1595">Active Scanning</a>: <a href="/techniques/T1595/001">Scanning IP Blocks</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has targeted IP ranges for vulnerability scanning related to government and critical infrastructure organizations.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1595/002">.002</a> </td> <td> <a href="/techniques/T1595">Active Scanning</a>: <a href="/techniques/T1595/002">Vulnerability Scanning</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used publicly available tools such as MASSCAN and Acunetix for vulnerability scanning of public-facing infrastructure.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1071">T1071</a> </td> <td> <a href="/techniques/T1071/004">.004</a> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/004">DNS</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used DNS tunnelling tools, such as dnscat/2 and Iodine, for C2 purposes.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1560">T1560</a> </td> <td> <a href="/techniques/T1560">Archive Collected Data</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has compressed collected data prior to exfiltration.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1119">T1119</a> </td> <td> <a href="/techniques/T1119">Automated Collection</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> engages in mass collection from compromised systems during intrusions.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1110">T1110</a> </td> <td> <a href="/techniques/T1110">Brute Force</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> used the <code>su-bruteforce</code> tool to brute force specific users using the <code>su</code> command.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1110/003">.003</a> </td> <td> <a href="/techniques/T1110/003">Password Spraying</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has conducted password spraying against Outlook Web Access (OWA) infrastructure to identify valid user names and passwords.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1059">T1059</a> </td> <td> <a href="/techniques/T1059/001">.001</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used PowerShell commands to gather information from compromised systems, such as email servers.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1005">T1005</a> </td> <td> <a href="/techniques/T1005">Data from Local System</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> gathers victim system information such as enumerating the volume of a given device or extracting system and security event logs for analysis.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1491">T1491</a> </td> <td> <a href="/techniques/T1491/002">.002</a> </td> <td> <a href="/techniques/T1491">Defacement</a>: <a href="/techniques/T1491/002">External Defacement</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> is linked to the defacement of several Ukrainian organization websites.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1561">T1561</a> </td> <td> <a href="/techniques/T1561/002">.002</a> </td> <td> <a href="/techniques/T1561">Disk Wipe</a>: <a href="/techniques/T1561/002">Disk Structure Wipe</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> conducted destructive operations against victims, including disk structure wiping, via the <a href="/software/S0689">WhisperGate</a> malware in Ukraine.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1114">T1114</a> </td> <td> <a href="/techniques/T1114">Email Collection</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> attempts to collect mail from accessed systems and servers.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1585">T1585</a> </td> <td> <a href="/techniques/T1585">Establish Accounts</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has created accounts on dark web forums to obtain various tools and malware.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1567">T1567</a> </td> <td> <a href="/techniques/T1567/002">.002</a> </td> <td> <a href="/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/techniques/T1567/002">Exfiltration to Cloud Storage</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used tools such as <a href="/software/S1040">Rclone</a> to exfiltrate information from victim environments to cloud storage such as <code>mega.nz</code>.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1190">T1190</a> </td> <td> <a href="/techniques/T1190">Exploit Public-Facing Application</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> gains initial access to victim environments by exploiting external-facing services. Examples include exploitation of CVE-2021-26084 in Confluence servers; CVE-2022-41040, ProxyShell, and other vulnerabilities in Microsoft Exchange; and multiple vulnerabilities in open-source platforms such as content management systems.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1203">T1203</a> </td> <td> <a href="/techniques/T1203">Exploitation for Client Execution</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used exploits to enable follow-on execution of frameworks such as Meterpreter.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1210">T1210</a> </td> <td> <a href="/techniques/T1210">Exploitation of Remote Services</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used exploits for vulnerabilities such as MS17-010, also known as <code>Eternal Blue</code>, during operations.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1133">T1133</a> </td> <td> <a href="/techniques/T1133">External Remote Services</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> have used VPNs both for initial access to victim environments and for persistence within them following compromise.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562/001">.001</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> uses the NirSoft AdvancedRun utility to disable Microsoft Defender Antivirus through stopping the WinDefend service on victim machines. <a href="/groups/G1003">Ember Bear</a> disables Windows Defender via registry key changes.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1070">T1070</a> </td> <td> <a href="/techniques/T1070/004">.004</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> deletes files related to lateral movement to avoid detection.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1570">T1570</a> </td> <td> <a href="/techniques/T1570">Lateral Tool Transfer</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> retrieves follow-on payloads direct from adversary-owned infrastructure for deployment on compromised hosts.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1654">T1654</a> </td> <td> <a href="/techniques/T1654">Log Enumeration</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has enumerated SECURITY and SYSTEM log files during intrusions.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1036">T1036</a> </td> <td> <a href="/techniques/T1036">Masquerading</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has renamed the legitimate Sysinternals tool procdump to alternative names such as <code>dump64.exe</code> to evade detection.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/005">.005</a> </td> <td> <a href="/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to <code>java</code> in victim environments.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1112">T1112</a> </td> <td> <a href="/techniques/T1112">Modify Registry</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> modifies registry values for anti-forensics and defense evasion purposes.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1046">T1046</a> </td> <td> <a href="/techniques/T1046">Network Service Discovery</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used tools such as NMAP for remote system discovery and enumeration in victim environments.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1095">T1095</a> </td> <td> <a href="/techniques/T1095">Non-Application Layer Protocol</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> uses socket-based tunneling utilities for command and control purposes such as NetCat and Go Simple Tunnel (GOST). These tunnels are used to push interactive command prompts over the created sockets.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> <a href="/groups/G1003">Ember Bear</a> has also used reverse TCP connections from Meterpreter installations to communicate back with C2 infrastructure.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1571">T1571</a> </td> <td> <a href="/techniques/T1571">Non-Standard Port</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used various non-standard ports for C2 communication.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1588">T1588</a> </td> <td> <a href="/techniques/T1588/001">.001</a> </td> <td> <a href="/techniques/T1588">Obtain Capabilities</a>: <a href="/techniques/T1588/001">Malware</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has acquired malware and related tools from dark web forums.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1588/005">.005</a> </td> <td> <a href="/techniques/T1588">Obtain Capabilities</a>: <a href="/techniques/T1588/005">Exploits</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has obtained exploitation scripts against publicly-disclosed vulnerabilities from public repositories.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1003">T1003</a> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> gathers credential material from target systems, such as SSH keys, to facilitate access to victim environments.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1003/001">.001</a> </td> <td> <a href="/techniques/T1003/001">LSASS Memory</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> uses legitimate Sysinternals tools such as procdump to dump LSASS memory.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1003/002">.002</a> </td> <td> <a href="/techniques/T1003/002">Security Account Manager</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> acquires victim credentials by extracting registry hives such as the Security Account Manager through commands such as <code>reg save</code>.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1003/004">.004</a> </td> <td> <a href="/techniques/T1003/004">LSA Secrets</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used frameworks such as <a href="/software/S0357">Impacket</a> to dump LSA secrets for credential capture.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1572">T1572</a> </td> <td> <a href="/techniques/T1572">Protocol Tunneling</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used ProxyChains to tunnel protocols to internal networks.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1090">T1090</a> </td> <td> <a href="/techniques/T1090/003">.003</a> </td> <td> <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/003">Multi-hop Proxy</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has configured multi-hop proxies via ProxyChains within victim environments.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1021">T1021</a> </td> <td> <a href="/techniques/T1021">Remote Services</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> uses valid network credentials gathered through credential harvesting to move laterally within victim networks, often employing the <a href="/software/S0357">Impacket</a> framework to do so.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1018">T1018</a> </td> <td> <a href="/techniques/T1018">Remote System Discovery</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used tools such as Nmap and MASSCAN for remote service discovery.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1053">T1053</a> </td> <td> <a href="/techniques/T1053/005">.005</a> </td> <td> <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> uses remotely scheduled tasks to facilitate remote command execution on victim machines.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1505">T1505</a> </td> <td> <a href="/techniques/T1505/003">.003</a> </td> <td> <a href="/techniques/T1505">Server Software Component</a>: <a href="/techniques/T1505/003">Web Shell</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> deploys web shells following initial access for either follow-on command execution or protocol tunneling. Example web shells used by <a href="/groups/G1003">Ember Bear</a> include P0wnyshell, reGeorg, <a href="/software/S0598">P.A.S. Webshell</a>, and custom variants of publicly-available web shell examples.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1195">T1195</a> </td> <td> <a href="/techniques/T1195">Supply Chain Compromise</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has compromised information technology providers and software developers providing services to targets of interest, building initial access to ultimate victims at least in part through compromise of service providers that work with the victim organizations.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1552">T1552</a> </td> <td> <a href="/techniques/T1552/001">.001</a> </td> <td> <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/001">Credentials In Files</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has dumped configuration settings in accessed IP cameras including plaintext credentials.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1550">T1550</a> </td> <td> <a href="/techniques/T1550/002">.002</a> </td> <td> <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/002">Pass the Hash</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used pass-the-hash techniques for lateral movement in victim environments.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1078">T1078</a> </td> <td> <a href="/techniques/T1078/001">.001</a> </td> <td> <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/001">Default Accounts</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has abused default user names and passwords in externally-accessible IP cameras for initial access.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1125">T1125</a> </td> <td> <a href="/techniques/T1125">Video Capture</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has exfiltrated images from compromised IP cameras.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1047">T1047</a> </td> <td> <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has used WMI execution with password hashes for command execution and lateral movement.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="software">Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S0521">S0521</a> </td> <td> <a href="/software/S0521">BloodHound</a> </td> <td> <a href="/groups/G1003">Ember Bear</a> has used <a href="/software/S0521">BloodHound</a> to profile Active Directory environments.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a>, <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/001">Local Account</a>, <a href="/techniques/T1560">Archive Collected Data</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1482">Domain Trust Discovery</a>, <a href="/techniques/T1615">Group Policy Discovery</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1201">Password Policy Discovery</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/001">Local Groups</a>, <a href="/techniques/T1018">Remote System Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0488">S0488</a> </td> <td> <a href="/software/S0488">CrackMapExec</a> </td> <td> <a href="/groups/G1003">Ember Bear</a> used <a href="/software/S0488">CrackMapExec</a> during intrusions.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a>, <a href="/techniques/T1110">Brute Force</a>: <a href="/techniques/T1110/003">Password Spraying</a>, <a href="/techniques/T1110">Brute Force</a>: <a href="/techniques/T1110/001">Password Guessing</a>, <a href="/techniques/T1110">Brute Force</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1112">Modify Registry</a>, <a href="/techniques/T1135">Network Share Discovery</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/002">Security Account Manager</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/003">NTDS</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/004">LSA Secrets</a>, <a href="/techniques/T1201">Password Policy Discovery</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a>, <a href="/techniques/T1018">Remote System Discovery</a>, <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/002">At</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1049">System Network Connections Discovery</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/002">Pass the Hash</a>, <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/software/S0357">S0357</a> </td> <td> <a href="/software/S0357">Impacket</a> </td> <td> <a href="/groups/G1003">Ember Bear</a> has used <a href="/software/S0357">Impacket</a> for lateral movement and process execution in victim environments.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/techniques/T1557">Adversary-in-the-Middle</a>: <a href="/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/techniques/T1040">Network Sniffing</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/003">NTDS</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/002">Security Account Manager</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/004">LSA Secrets</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/003">Kerberoasting</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/005">Ccache Files</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a>, <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/software/S0508">S0508</a> </td> <td> <a href="/software/S0508">ngrok</a> </td> <td> <a href="/groups/G1003">Ember Bear</a> used <a href="/software/S0508">ngrok</a> during intrusions against Ukrainian victims.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </td> <td> <a href="/techniques/T1568">Dynamic Resolution</a>: <a href="/techniques/T1568/002">Domain Generation Algorithms</a>, <a href="/techniques/T1567">Exfiltration Over Web Service</a>, <a href="/techniques/T1572">Protocol Tunneling</a>, <a href="/techniques/T1090">Proxy</a>, <a href="/techniques/T1102">Web Service</a> </td> </tr> <tr> <td> <a href="/software/S0598">S0598</a> </td> <td> <a href="/software/S0598">P.A.S. Webshell</a> </td> <td> <a href="/groups/G1003">Ember Bear</a> has used <a href="/software/S0598">P.A.S. Webshell</a> during intrusions.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/001">Local Account</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1110">Brute Force</a>: <a href="/techniques/T1110/001">Password Guessing</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>, <a href="/techniques/T1213">Data from Information Repositories</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1222">File and Directory Permissions Modification</a>: <a href="/techniques/T1222/002">Linux and Mac File and Directory Permissions Modification</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1046">Network Service Discovery</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1505">Server Software Component</a>: <a href="/techniques/T1505/003">Web Shell</a>, <a href="/techniques/T1518">Software Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0029">S0029</a> </td> <td> <a href="/software/S0029">PsExec</a> </td> <td> <a href="/groups/G1003">Ember Bear</a> has used <a href="/software/S0029">PsExec</a> through frameworks such as <a href="/software/S0357">Impacket</a> for remote command execution.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/002">Domain Account</a>, <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/003">Windows Service</a>, <a href="/techniques/T1570">Lateral Tool Transfer</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a> </td> </tr> <tr> <td> <a href="/software/S1040">S1040</a> </td> <td> <a href="/software/S1040">Rclone</a> </td> <td> <a href="/groups/G1003">Ember Bear</a> has used <a href="/software/S1040">Rclone</a> to exfiltrate information from victim environments.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/techniques/T1560">Archive Collected Data</a>: <a href="/techniques/T1560/001">Archive via Utility</a>, <a href="/techniques/T1030">Data Transfer Size Limits</a>, <a href="/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/techniques/T1048/002">Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</a>, <a href="/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/techniques/T1048/003">Exfiltration Over Unencrypted Non-C2 Protocol</a>, <a href="/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/techniques/T1567/002">Exfiltration to Cloud Storage</a>, <a href="/techniques/T1083">File and Directory Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0174">S0174</a> </td> <td> <a href="/software/S0174">Responder</a> </td> <td> <a href="/groups/G1003">Ember Bear</a> has used <a href="/software/S0174">Responder</a> in intrusions.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/techniques/T1557">Adversary-in-the-Middle</a>: <a href="/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/techniques/T1040">Network Sniffing</a> </td> </tr> <tr> <td> <a href="/software/S1018">S1018</a> </td> <td> <a href="/software/S1018">Saint Bot</a> </td> <td> <a href="/groups/G1003">Ember Bear</a> has used <a href="/software/S1018">Saint Bot</a> during operations, but is distinct from the threat actor <a href="/groups/G1031">Saint Bear</a>.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/techniques/T1548/002">Bypass User Account Control</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/005">Visual Basic</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1132">Data Encoding</a>: <a href="/techniques/T1132/001">Standard Encoding</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1622">Debugger Evasion</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1574">Hijack Execution Flow</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1036">Masquerading</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/002">Software Packing</a>, <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/002">Spearphishing Link</a>, <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/001">Spearphishing Attachment</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1055">Process Injection</a>: <a href="/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/techniques/T1055">Process Injection</a>: <a href="/techniques/T1055/004">Asynchronous Procedure Call</a>, <a href="/techniques/T1055">Process Injection</a>: <a href="/techniques/T1055/012">Process Hollowing</a>, <a href="/techniques/T1012">Query Registry</a>, <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/010">Regsvr32</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/004">InstallUtil</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1614">System Location Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a>, <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/002">Malicious File</a>, <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/001">Malicious Link</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/003">Time Based Evasion</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/001">System Checks</a> </td> </tr> <tr> <td> <a href="/software/S0689">S0689</a> </td> <td> <a href="/software/S0689">WhisperGate</a> </td> <td> <a href="/groups/G1003">Ember Bear</a> is associated with <a href="/software/S0689">WhisperGate</a> use against multiple victims in Ukraine.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor"><sup><a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022."data-reference="CrowdStrike Ember Bear Profile March 2022"><sup><a href="https://www.crowdstrike.com/blog/who-is-ember-bear/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022."data-reference="Mandiant UNC2589 March 2022"><sup><a href="https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a>: <a href="/techniques/T1134/002">Create Process with Token</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/005">Visual Basic</a>, <a href="/techniques/T1485">Data Destruction</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1561">Disk Wipe</a>: <a href="/techniques/T1561/002">Disk Structure Wipe</a>, <a href="/techniques/T1561">Disk Wipe</a>: <a href="/techniques/T1561/001">Disk Content Wipe</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1036">Masquerading</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1135">Network Share Discovery</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/techniques/T1542">Pre-OS Boot</a>: <a href="/techniques/T1542/003">Bootkit</a>, <a href="/techniques/T1055">Process Injection</a>: <a href="/techniques/T1055/012">Process Hollowing</a>, <a href="/techniques/T1620">Reflective Code Loading</a>, <a href="/techniques/T1518">Software Discovery</a>: <a href="/techniques/T1518/001">Security Software Discovery</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/004">InstallUtil</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a>, <a href="/techniques/T1529">System Shutdown/Reboot</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/001">System Checks</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/003">Time Based Evasion</a>, <a href="/techniques/T1102">Web Service</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank"> US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank"> Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.crowdstrike.com/blog/who-is-ember-bear/" target="_blank"> CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="4.0"> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation" target="_blank"> Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank"> Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/sidebar-load-all.js"></script> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-relationships.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10