www.crowdstrike.com
Open in
urlscan Pro
2606:4700::6811:63a
Public Scan
URL:
https://www.crowdstrike.com/blog/who-is-ember-bear/
Submission: On May 23 via manual from JP — Scanned from JP
Submission: On May 23 via manual from JP — Scanned from JP
Form analysis 0 forms found in the DOM
Text Content
___
*
*
*
*
*
*
BLOG
* Featured
* CrowdStrike Named a Leader with “Exceptional” MDR Service: 2023 Forrester
Wave for MDR
May 18, 2023
* How to Complete Your LogScale Observability Strategy with Grafana
May 15, 2023
* Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to
Adversary Attacks
May 15, 2023
* How to Establish Cross-Border Transfer Systems that Help Protect Privacy
May 11, 2023
* Recent
* CrowdStrike Named a Leader with “Exceptional” MDR Service: 2023 Forrester
Wave for MDR
May 18, 2023
* How to Complete Your LogScale Observability Strategy with Grafana
May 15, 2023
* Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to
Adversary Attacks
May 15, 2023
* How to Establish Cross-Border Transfer Systems that Help Protect Privacy
May 11, 2023
* Videos
* Video Highlights the 4 Key Steps to Successful Incident Response
Dec 02, 2019
* Video: How CrowdStrike’s Vision Redefined Endpoint Security
Sep 20, 2019
* Mac Attacks Along the Kill Chain: Credential Theft [VIDEO]
Apr 19, 2019
* Mac Attacks Along the Kill Chain: Part 2 — Privilege Escalation [VIDEO]
Apr 12, 2019
* Categories
* Endpoint & Cloud Security
Endpoint & Cloud Security
How to Establish Cross-Border Transfer Systems that Help Protect Privacy
05/11/2023
May 2023 Patch Tuesday: Three Zero-Days and Six Critical Vulnerabilities
Identified
05/09/2023
Leveraging the Dark Side: How CrowdStrike Boosts Machine Learning Efficacy
Against Adversaries
05/09/2023
CrowdStrike Expands Falcon Data Replicator Capabilities to Boost SOC
Performance
05/08/2023
* Engineering & Tech
Engineering & Tech
CrowdStrike’s Artificial Intelligence Tooling Uses Similarity Search to
Analyze Script-Based Malware Attack Techniques
03/23/2023
CrowdStrike’s Free TensorFlow-to-Rust Conversion Tool Enables Data
Scientists to Run Machine Learning Models as Pure Safe Code
03/02/2023
Spotlight on the Log-Structured Merge (LSM) Tree: One of the Keys Enabling
CrowdStrike to Process Trillions of Events per Day
11/30/2022
Playing Hide-and-Seek with Ransomware, Part 2
10/21/2022
* Executive Viewpoint
Executive Viewpoint
CrowdStrike Named a Leader with “Exceptional” MDR Service: 2023 Forrester
Wave for MDR
05/18/2023
CrowdStrike and Dell: Making Cybersecurity Fast and Frictionless
03/23/2023
Three Times a Leader: CrowdStrike Named a Leader in Gartner® Magic
Quadrant™ for Endpoint Protection Platforms
03/02/2023
CrowdStrike 2023 Global Threat Report: Resilient Businesses Fight
Relentless Adversaries
02/28/2023
* From The Front Lines
From The Front Lines
Behind the Curtain: Falcon OverWatch Hunting Leads Explained
04/27/2023
How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy
Files and Their Hidden Payloads
03/31/2023
CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting
Kubernetes
03/15/2023
CrowdStrike Falcon OverWatch Insights: 8 LOLBins Every Threat Hunter Should
Know
03/07/2023
* Identity Protection
Identity Protection
Relentless Threat Activity Puts Identities in the Crosshairs
05/01/2023
CrowdStrike Extends Identity Security Innovations to Protect Customers and
Stop Breaches
03/20/2023
Attackers Set Sights on Active Directory: Understanding Your Identity
Exposure
12/14/2022
9 Ways a CISO Uses CrowdStrike for Identity Threat Protection
12/07/2022
* Observability & Log Management
Observability & Log Management
Introducing CrowdStream: Simplifying XDR Adoption and Solving Security’s
Data Challenge
04/21/2023
Make Compliance a Breeze with Modern Log Management
02/07/2023
10 Questions to Help You Choose the Right Log Management Solution
12/21/2022
What Makes CrowdStrike Falcon LogScale So Fast
11/22/2022
* People & Culture
People & Culture
VP of Legal Jeanne Miller-Romero on Women’s History Month and Being a Woman
in Leadership
03/22/2023
What International Women’s Day Means to Women of CrowdStrike
03/07/2023
What Martin Luther King Jr. Day Means to Leaders of CrowdStrike’s Black
Employee Resource Group
01/13/2023
Cybersecurity Awareness Month 2022: It’s About the People
10/28/2022
* Remote Workplace
Remote Workplace
CrowdStrike Changes Designation of Principal Executive Office to Austin,
Texas
12/28/2021
CrowdStrike and EY Join Forces to Boost Organizational Resiliency
05/24/2021
Go Beyond the Perimeter: Frictionless Zero Trust With CrowdStrike and
Zscaler
03/29/2021
Flexible Policy Management for Remote Systems
07/08/2020
* Research & Threat Intel
Research & Threat Intel
Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to
Adversary Attacks
05/15/2023
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign
Targeting 3CXDesktopApp Customers
03/29/2023
QakBot eCrime Campaign Leverages Microsoft OneNote Attachments
03/17/2023
How to Mature Your Threat Intelligence Program
03/09/2023
* Tech Center
Tech Center
How to Complete Your LogScale Observability Strategy with Grafana
05/15/2023
Securing private applications with CrowdStrike Zero Trust Assessment and
AWS Verified Access
04/18/2023
How to Manage USB Devices
03/22/2023
How to Speed Investigations with Falcon Forensics
03/10/2023
* Start Free Trial
* Endpoint & Cloud Security
Endpoint & Cloud Security
How to Establish Cross-Border Transfer Systems that Help Protect Privacy
05/11/2023
May 2023 Patch Tuesday: Three Zero-Days and Six Critical Vulnerabilities
Identified
05/09/2023
Leveraging the Dark Side: How CrowdStrike Boosts Machine Learning Efficacy
Against Adversaries
05/09/2023
CrowdStrike Expands Falcon Data Replicator Capabilities to Boost SOC
Performance
05/08/2023
* Engineering & Tech
Engineering & Tech
CrowdStrike’s Artificial Intelligence Tooling Uses Similarity Search to
Analyze Script-Based Malware Attack Techniques
03/23/2023
CrowdStrike’s Free TensorFlow-to-Rust Conversion Tool Enables Data
Scientists to Run Machine Learning Models as Pure Safe Code
03/02/2023
Spotlight on the Log-Structured Merge (LSM) Tree: One of the Keys Enabling
CrowdStrike to Process Trillions of Events per Day
11/30/2022
Playing Hide-and-Seek with Ransomware, Part 2
10/21/2022
* Executive Viewpoint
Executive Viewpoint
CrowdStrike Named a Leader with “Exceptional” MDR Service: 2023 Forrester
Wave for MDR
05/18/2023
CrowdStrike and Dell: Making Cybersecurity Fast and Frictionless
03/23/2023
Three Times a Leader: CrowdStrike Named a Leader in Gartner® Magic
Quadrant™ for Endpoint Protection Platforms
03/02/2023
CrowdStrike 2023 Global Threat Report: Resilient Businesses Fight
Relentless Adversaries
02/28/2023
* From The Front Lines
From The Front Lines
Behind the Curtain: Falcon OverWatch Hunting Leads Explained
04/27/2023
How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy
Files and Their Hidden Payloads
03/31/2023
CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting
Kubernetes
03/15/2023
CrowdStrike Falcon OverWatch Insights: 8 LOLBins Every Threat Hunter Should
Know
03/07/2023
* Identity Protection
Identity Protection
Relentless Threat Activity Puts Identities in the Crosshairs
05/01/2023
CrowdStrike Extends Identity Security Innovations to Protect Customers and
Stop Breaches
03/20/2023
Attackers Set Sights on Active Directory: Understanding Your Identity
Exposure
12/14/2022
9 Ways a CISO Uses CrowdStrike for Identity Threat Protection
12/07/2022
* Observability & Log Management
Observability & Log Management
Introducing CrowdStream: Simplifying XDR Adoption and Solving Security’s
Data Challenge
04/21/2023
Make Compliance a Breeze with Modern Log Management
02/07/2023
10 Questions to Help You Choose the Right Log Management Solution
12/21/2022
What Makes CrowdStrike Falcon LogScale So Fast
11/22/2022
* People & Culture
People & Culture
VP of Legal Jeanne Miller-Romero on Women’s History Month and Being a Woman
in Leadership
03/22/2023
What International Women’s Day Means to Women of CrowdStrike
03/07/2023
What Martin Luther King Jr. Day Means to Leaders of CrowdStrike’s Black
Employee Resource Group
01/13/2023
Cybersecurity Awareness Month 2022: It’s About the People
10/28/2022
* Remote Workplace
Remote Workplace
CrowdStrike Changes Designation of Principal Executive Office to Austin,
Texas
12/28/2021
CrowdStrike and EY Join Forces to Boost Organizational Resiliency
05/24/2021
Go Beyond the Perimeter: Frictionless Zero Trust With CrowdStrike and
Zscaler
03/29/2021
Flexible Policy Management for Remote Systems
07/08/2020
* Research & Threat Intel
Research & Threat Intel
Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to
Adversary Attacks
05/15/2023
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign
Targeting 3CXDesktopApp Customers
03/29/2023
QakBot eCrime Campaign Leverages Microsoft OneNote Attachments
03/17/2023
How to Mature Your Threat Intelligence Program
03/09/2023
* Tech Center
Tech Center
How to Complete Your LogScale Observability Strategy with Grafana
05/15/2023
Securing private applications with CrowdStrike Zero Trust Assessment and
AWS Verified Access
04/18/2023
How to Manage USB Devices
03/22/2023
How to Speed Investigations with Falcon Forensics
03/10/2023
* Featured
* Recent
* Videos
* Categories
* Start Free Trial
WHO IS EMBER BEAR?
March 30, 2022
CrowdStrike Threat Intel Team Executive Viewpoint Research & Threat Intel
4/4/22 Editor’s note: The hearing described below has been rescheduled for 10
a.m. EST on Tuesday, April 5.
On Wednesday, March 30, 2022, Adam Meyers, CrowdStrike Senior Vice President of
Intelligence, will testify in front of CHS (House Committee on Homeland
Security) on Russian cyber threats to critical infrastructure. Within his
testimony, Adam will speak publicly for the first time about a Russia-nexus
state-sponsored actor that CrowdStrike Intelligence tracks as EMBER BEAR.
EMBER BEAR (aka UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) is an
adversary group that has operated against government and military organizations
in eastern Europe since early 2021, likely to collect intelligence from target
networks. EMBER BEAR appears primarily motivated to weaponize the access and
data obtained during their intrusions to support information operations (IO)
aimed at creating public mistrust in targeted institutions and degrading
government ability to counter Russian cyber operations.
Meet the Adversary: EMBER BEAR
CrowdStrike Intelligence attributes destructive activity against Ukrainian
networks using the WhisperGate wiper to EMBER BEAR, assessed at moderate
confidence. Additionally, CrowdStrike Intelligence assesses with low confidence
that data obtained through EMBER BEAR operations are used to support data leak
operations conducted by multiple attribution fronts.
While other Russia-state nexus adversaries have also been implicated in the
dissemination of stolen data for similar motivations — particularly FANCY BEAR
and VOODOO BEAR, both operated by Main Directorate of the General Staff of the
Armed Forces of the Russian Federation (GRU) — EMBER BEAR does not present known
links with previously tracked adversaries. EMBER BEAR is not currently
attributed to a specific Russian organization, although the adversary’s target
profile, assessed intent, and their technical tactics, techniques and procedures
(TTPs) are consistent with other GRU cyber operations.
CROWDSTRIKE INTELLIGENCE CONFIDENCE DESCRIPTIONS
High Confidence – Judgments are based on high-quality information from multiple
sources. High confidence in the quality and quantity of source information
supporting a judgment does not imply that that assessment is an absolute
certainty or fact. The judgment still has a marginal probability of being
inaccurate.
Moderate Confidence – Judgments are based on information that is credibly
sourced and plausible, but not of sufficient quantity or corroborated
sufficiently to warrant a higher level of confidence. This level of confidence
is used to express that judgments carry an increased probability of being
incorrect until more information is available or corroborated.
Low Confidence – Judgments are made where the credibility of the source is
uncertain, the information is too fragmented or poorly corroborated enough to
make solid analytic inferences, or the reliability of the source is untested.
Further information is needed for corroboration of the information or to fill
known intelligence gaps.
ADDITIONAL RESOURCES
* To watch Adam Meyers’ CHS testimony, visit the Committee on Homeland Security
website.
* Learn how to incorporate intelligence on dangerous threat actors into your
security strategy by visiting the CrowdStrike CROWDSTRIKE FALCON®
INTELLIGENCE™ product page.
* Request a free CrowdStrike Intelligence threat briefing and learn how to stop
adversaries targeting your organization.
* Learn more about the CrowdStrike Falcon® platform by visiting the product
webpage.
* Get a full-featured free trial of CrowdStrike Falcon® Prevent™ to see for
yourself how true next-gen AV performs against today’s most sophisticated
threats.
* Tweet
* Share
RELATED CONTENT
CROWDSTRIKE AND DELL: MAKING CYBERSECURITY FAST AND FRICTIONLESS
THREE TIMES A LEADER: CROWDSTRIKE NAMED A LEADER IN GARTNER® MAGIC QUADRANT™ FOR
ENDPOINT PROTECTION PLATFORMS
CROWDSTRIKE 2023 GLOBAL THREAT REPORT: RESILIENT BUSINESSES FIGHT RELENTLESS
ADVERSARIES
Categories
* Endpoint & Cloud Security
(373)
* Engineering & Tech
(71)
* Executive Viewpoint
(143)
* From The Front Lines
(186)
* Identity Protection
(28)
* Observability & Log Management
(71)
* People & Culture
(86)
* Remote Workplace
(20)
* Research & Threat Intel
(160)
* Tech Center
(149)
CONNECT WITH US
FEATURED ARTICLES
CrowdStrike Named a Leader with “Exceptional” MDR Service: 2023 Forrester Wave
for MDR
May 18, 2023
How to Complete Your LogScale Observability Strategy with Grafana
May 15, 2023
Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to
Adversary Attacks
May 15, 2023
How to Establish Cross-Border Transfer Systems that Help Protect Privacy
May 11, 2023
SUBSCRIBE
Sign up now to receive the latest notifications and updates from CrowdStrike.
Sign Up
SEE CROWDSTRIKE FALCON® IN ACTION
Detect, prevent, and respond to attacks— even malware-free intrusions—at any
stage, with next-generation endpoint protection.
See Demo
Maintaining Security Consistency from Endpoint to Workload and Everywhere in
Between
Cloudy with a Chance of Unclear Mailbox Sync: CrowdStrike Services Identifies
Logging Inconsistencies in Microsoft 365
TRY CROWDSTRIKE FREE FOR 15 DAYS
GET STARTED WITH A FREE TRIAL
X
*
*
*
*
* Copyright © 2023 CrowdStrike
* Privacy
* Request Info
* Blog
* Contact Us
* 1.888.512.8906
X
$H2
$hl
X
COOKIE PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* PERFORMANCE COOKIES
* FUNCTIONAL COOKIES
* TARGETING COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. This includes diagnostic functions such as identifying 404
errors and monitoring page load speed. They are usually only set in response to
actions made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collet is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
BACK
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
* View Third Party Cookies
* Name
cookie name
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All