Threat Intelligence Tarot
Vol. II · 128
Russia
risk 4/5
The Ember Before the Fire
Ember Bear
UAC-0056 · Saint Bear · Bleeding Bear · Lorec53 · Nodaria
Ukrainian governmentUkrainian critical infrastructureEastern European NATO members
Active since ~2020 · Disruption, Pre-positioning, Ukraine-focused espionage
The Ember Before the Fire glowed quietly in the days before February 24, 2022 — a small light that meant nothing until the night it became everything. Its operators measured success in what would later be ash.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1190
Exploit Public-Facing Application
Initial Access
T1485
Data Destruction
Impact
T1561
Disk Wipe
Impact
T1027
Obfuscated Files or Information
Defense Evasion
T1041
Exfiltration Over C2 Channel
Exfiltration
Notable Operations
  • WhisperGate wiper deployment against Ukraine (January 2022)
  • Pre-invasion staging of destructive payloads
  • GraphSteel and GrimPlant credential harvesters
  • Continued targeting of Ukrainian government and CERT-UA tracking
Defenses
  • Off-region backup with immutable storage and tested restore
    CIS Control 11
  • Wiper-aware EDR detection rules covering MBR overwrite and disk wiping
    MITRE D3FEND
  • Critical infrastructure network segmentation from corporate networks
    NIST SP 800-82
  • Geopolitical risk integration into security operations posture
    NIST CSF: ID.RA
Reversed: Their Weakness
CERT-UA's public IOC sharing and Ukraine's distributed cloud backup strategy (Operation Backup Ukraine) demonstrate that pre-positioned wipers can be neutralized through pre-positioned resilience.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Sapphire HeistNext →The Cloud Atlas
Related Adversaries
The Desert Hawk
Stealth Falcon
3 shared TTPs
The Many-Headed Whisper
DarkHydrus
3 shared TTPs
The USB Serpent
Aoqin Dragon
3 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.