Background
Ember Bear, designated UAC-0056 by Ukraine's CERT-UA and tracked as Lorec53 and Bleeding Bear by other vendors, is a Russian state-sponsored threat actor with a near-exclusive focus on Ukraine and organizations supporting Ukrainian interests. The group emerged as a distinct tracked entity in early 2021, though activities may predate formal identification. It is assessed to operate in service of Russia's Federal Security Service (FSB) or General Staff intelligence, with an operational mandate centered on destabilizing Ukrainian government functions and conducting destructive cyberattacks as part of Russia's broader hybrid warfare campaign against Ukraine.
Ember Bear is best known for deploying WhisperGate, a destructive malware disguised as ransomware, against multiple Ukrainian government agencies and IT organizations in January 2022 โ weeks before Russia's full-scale military invasion of Ukraine began on February 24, 2022. The WhisperGate campaign was a deliberate attempt to destroy Ukrainian government data and disrupt operations in advance of the kinetic invasion, following the established Russian military doctrine of combining cyber effects with conventional military operations.
The group's profile illustrates Russia's approach to cyber operations during the Ukraine conflict โ blending espionage, defacement, data destruction, and supply chain attacks against Ukraine's government and critical infrastructure. Ember Bear has shown willingness to conduct destructive operations that go beyond typical nation-state espionage constraints, reflecting the existential framing of the conflict from Russia's perspective.
Notable Campaigns
WhisperGate Destructive Campaign (January 2022) โ Hours before Russia's formal military buildup reached full scale, Ember Bear deployed WhisperGate against Ukrainian government agencies, non-profits, and IT companies. WhisperGate appeared to be ransomware but was actually a wiper โ it contained no mechanism for key recovery and was designed solely to destroy data. Simultaneously, the group defaced Ukrainian government websites with threatening messages in Ukrainian, Polish, and Russian. The campaign targeted the Ukrainian Ministry of Foreign Affairs, Ministry of Education, State Treasury, and State Emergency Service.
Ukrainian State Agency Spearphishing (2021) โ Throughout 2021, Ember Bear conducted sustained spearphishing campaigns against Ukrainian government ministries, using document lures referencing Ukrainian domestic politics, COVID-19 policy, and Russia-Ukraine diplomatic interactions. The SaintBot and OutSteel malware families were deployed as primary reconnaissance and data theft tools.
Supply Chain Attack via IT Integrators (2022) โ CERT-UA documented Ember Bear compromising Ukrainian IT service providers and software vendors to gain indirect access to government agency systems. This supply chain approach allowed the group to leverage trusted vendor relationships for initial access.
European Support Infrastructure Targeting (2022-2024) โ Following Ukraine's military counteroffensives, Ember Bear expanded targeting to European organizations providing military, financial, and logistical support to Ukraine, particularly in Poland, Czech Republic, and Germany.
Tactics, Techniques & Procedures
Spearphishing with Ukrainian-Language Lures โ Ember Bear uses highly targeted spearphishing emails in Ukrainian (T1566.001), with lures themed around Ukrainian domestic policy, military affairs, and administrative processes. Documents exploit Office vulnerabilities and contain macros that deploy SaintBot loaders. The group demonstrates familiarity with Ukrainian government organizational structures and bureaucratic communication styles.
Destructive Operations as Cover โ WhisperGate's deployment as pseudo-ransomware was a deliberate deception to create confusion and delay incident response by suggesting criminal ransomware motives. The group has a documented preference for destructive operations timed to coincide with or precede significant geopolitical events (T1485, T1490).
Supply Chain Compromise โ Ember Bear has targeted Ukrainian software developers and IT service providers to gain access to their client networks (T1195.002). The group compromised Ukrainian IT companies' build environments to deploy malicious updates to government agency clients.
Credential Theft and Lateral Movement โ After initial compromise, the group deploys credential harvesting tools and uses stolen credentials for lateral movement. Cobalt Strike Beacon serves as the primary post-exploitation framework. The group uses legitimate administrative tools including remote desktop, WMI, and scheduled tasks for stealthy lateral movement.
Tools & Malware
- WhisperGate โ A two-component destructive tool disguised as ransomware. The first component overwrites the Master Boot Record with a ransom note message, rendering the system unbootable. The second component is a file corrupter that destroys data across multiple file types. Contains no decryption mechanism โ destruction is the sole purpose.
- SaintBot โ A .NET-based downloader used as a first-stage payload, collecting system information and downloading additional payloads based on victim profiling. Uses anti-analysis techniques including sandbox detection and sleep delays.
- OutSteel โ A document stealer that searches for and exfiltrates files matching specific extensions including .docx, .xlsx, .pdf, and .txt. Compresses and uploads stolen files to attacker-controlled infrastructure.
- GraphSteel โ A Go-based information stealer targeting credentials from browsers, email clients, and cryptocurrency wallets, with exfiltration via Microsoft Graph API to blend with legitimate Microsoft 365 traffic.
- GrimPlant โ A Go-based backdoor using Google's gRPC protocol for encrypted C2 communication, providing command execution and file transfer capabilities.
- BurntBamboo โ A custom loader deploying Cobalt Strike payloads, using process hollowing to inject into legitimate Windows processes.
Indicators & Detection
Destructive Malware Preparedness โ Organizations in Ukraine and those supporting Ukraine should implement regular offline backups with air-gapped storage. Test backup restoration procedures regularly. Monitor for processes that simultaneously open large numbers of files for writing across multiple directories โ a signature behavior of file encryption/corruption malware.
MBR Protection โ Enable Secure Boot and UEFI integrity monitoring to detect MBR-overwrite attacks like those used by WhisperGate. Windows 10/11 Secure Boot prevents unauthorized MBR modification. Monitor for direct disk access attempts by non-system processes.
SaintBot and OutSteel Detection โ Detect SaintBot by monitoring for .NET processes that sleep for unusual durations during initialization (sandbox evasion). Alert on processes that enumerate specific file extensions and compress files before establishing outbound connections. Monitor for Go-compiled executables making connections to Google API endpoints in environments where Google Workspace is not actively used.
Network Telemetry โ Monitor for gRPC traffic (HTTP/2 with specific framing patterns) from endpoints to non-corporate infrastructure. Alert on Microsoft Graph API access from unusual processes or endpoints. Implement outbound traffic inspection to detect data exfiltration patterns including compressed archives being transmitted to cloud storage.