Ember Bear / UAC-0056

Overview

Ember Bear is the cyber operations arm of GRU Unit 29155 — Russia's 161st Specialist Training Center — a unit that until 2020 was known primarily for assassinations, sabotage, coups, and influence operations across Europe. The formal cyber attribution to Unit 29155 was not established publicly until the September 2024 DOJ indictment, making this one of the most significant organizational attribution events in cyber threat intelligence history: it connected a years-long series of destructive cyber campaigns directly to the same operational unit that deployed Novichok nerve agent on British soil in 2018.

The connection between Unit 29155's kinetic and cyber operations matters beyond attribution. It tells analysts something specific about the unit's mandate: this is not a dedicated cyber intelligence collection unit like GRU Unit 26165 (Fancy Bear / APT28) or a cyber sabotage unit like GRU Unit 74455 (Sandworm). Unit 29155 is a hybrid special operations unit that uses whatever tools serve its mission — which the FBI and CISA describe as "espionage, sabotage, and reputational harm." When Unit 29155 was given a Ukraine mission in 2020, it expanded its toolkit to include cyber operations alongside its existing physical operations repertoire. The cyber team was built by recruiting junior GRU officers — drawn in part from Capture the Flag (CTF) competition backgrounds — and augmented with civilian cyber-criminal enablers who provided tools and infrastructure.

The WhisperGate deployment on January 13, 2022 — eleven days before Russia's full-scale invasion on February 24 — was the unit's most consequential cyber operation and a textbook example of cyber operations used as a pre-invasion preparation campaign: simultaneously degrading Ukraine's government digital infrastructure, generating psychological impact through website defacements, and exfiltrating sensitive data from Ukrainian government networks before military operations commenced. The targets were deliberate: the Ukrainian Ministry of Internal Affairs, State Treasury, Judiciary Administration, Ministry of Education and Science, Ministry of Agriculture, Ministry of Energy, State Emergency Service, and the State Portal for Digital Services — civilian government systems with no direct military value, which the DOJ specifically cited as evidence of "abhorrent disregard for innocent civilians."

Unit 29155: From Nerve Agent to Wiper

Understanding Ember Bear requires understanding its parent unit — and the fact that Unit 29155 becoming a cyber actor is a historically unusual event in the documented threat landscape.

• Physical Operations History (2014–2020): GRU Unit 29155 had been conducting kinetic special operations across Europe for years before its cyber capability emerged. The unit is attributed with the 2014 Vrbětice ammunition warehouse explosions in Czechia, which killed two Czech citizens and caused over one billion CZK in damage. In 2016, it attempted a coup in Montenegro — including a plot to assassinate Prime Minister Milo Đukanović and occupy the parliament building by force. In 2018, officers from Unit 29155 (operating under aliases "Ruslan Boshirov" and "Alexander Petrov," later identified by Bellingcat as Anatoliy Chepiga and Alexander Mishkin) deployed the Novichok nerve agent against former Russian double agent Sergei Skripal and his daughter Yulia in Salisbury, England. The unit has also been implicated in attempted poisonings of Bulgarian arms dealer Emilian Gebrev and, by some investigative accounts, in Havana Syndrome incidents targeting US officials.
• The Cyber Expansion (2020+): The FBI assesses Unit 29155 began cyber operations around 2020, staffed in part by junior GRU officers recruited from CTF competition backgrounds. This timeline aligns with Russia's escalating focus on Ukraine and the unit's expansion of its hybrid warfare toolkit. The cyber team was not built from scratch — it was grafted onto an existing, experienced special operations unit that provided the institutional mandate (espionage, sabotage, reputational harm), the operational security culture, and the real-world tradecraft understanding that pure cyber units lack.
• Distinct from Fancy Bear and Sandworm: CISA's September 2024 advisory was explicit: Unit 29155 cyber actors are "separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455." Fancy Bear (Unit 26165) specializes in long-duration espionage — election interference, DNC hack, WADA, etc. Sandworm (Unit 74455) specializes in large-scale infrastructure disruption — NotPetya, Olympic Destroyer, Ukraine power grid attacks. Ember Bear occupies a different niche: more aggressive and destructive than pure intelligence collection, less sophisticated in technical execution than Sandworm, but anchored in a unit with an existing mandate for physical sabotage and assassination that gives its operations a different character.
• Junior Officers + Criminal Enablers: The FBI's assessment of Unit 29155's cyber team composition — junior active-duty GRU officers who are "gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions" — is a significant finding. These are not the experienced cyber operators of Fancy Bear or Sandworm. They are newer recruits operating under experienced physical-operations leadership (Col. Yuriy Denisov, the commanding officer of Cyber Operations for Unit 29155, is named in the indictment). The reliance on civilian criminal infrastructure — dark web forums, commodity malware like Raspberry Robin and SaintBot — reflects this composition. This suggests a unit that is developing its cyber capability in the field rather than coming to operations with pre-built advanced tooling.

WhisperGate: Technical Analysis

WhisperGate was deployed on January 13, 2022 against Ukrainian government organizations. It is a three-stage destructive wiper designed to render target systems permanently inoperable while presenting the appearance of ransomware — a false-flag design choice that mirrors NotPetya's operational deception, though with less technical sophistication.

• Stage 1 — MBR Overwrite (stage1.exe): A 32-bit PE executable compiled with GCC MinGW, with a build timestamp of January 10, 2022 — three days before deployment. Upon execution, stage1.exe opens a handle to the master boot record using the Windows CreateFileW() API and overwrites exactly 512 bytes of the MBR with a malicious 16-bit bootloader. The new bootloader displays a fake ransom note on reboot — demanding $10,000 in Bitcoin to a wallet address and providing a Tox encrypted messaging ID — but contains no decryption mechanism. Data is not recoverable regardless of payment. After overwriting the MBR, the bootloader accesses the disk via BIOS interrupt 13h and overwrites every 199th sector until the end of the disk is reached, progressively corrupting the drive.
• Stage 2 — Downloader (stage2.exe): A 32-bit .NET PE binary, also built January 10, 2022, that downloads stage 3 from Discord's CDN. The malware was staged on Discord as a disguised JPG attachment — using Discord's content delivery infrastructure as an unwitting distribution host. Stage2.exe contains a description written in Russian and masquerades as a Microsoft file. The use of Discord CDN for malware staging is a documented technique that bypasses many URL-based security controls that whitelist major cloud providers.
• Stage 3 — File Corruptor: The final payload targets files matching a list of 191 specific file extensions — documents, images, databases, executables, and archives — encrypting and changing their extensions to render them inaccessible. Unlike functional ransomware, there is no key storage, no C2 check-in, and no recovery path. CISA's September 2024 advisory documented that in at least one instance following WhisperGate deployment, operators exfiltrated data to mega[.]nz using Rclone before triggering the wiper — collecting intelligence value from victim systems before destroying them.
• False-Flag Ransomware Design: The ransomware presentation — ransom note, Bitcoin wallet, Tox ID — was operationally deliberate. The DOJ indictment states WhisperGate "was designed to look like ransomware" while actually being "a cyberweapon designed to completely destroy the target computer and related data." The false flag creates initial attribution ambiguity (this looks like a criminal ransomware operation), delays incident response (organizations attempt recovery procedures that cannot succeed), and provides Russia with plausible deniability in the immediate aftermath. The same Bitcoin wallet address was used across all WhisperGate victims — an unusual pattern for criminal ransomware that instead serves as a calling card.
• Execution via Impacket: Microsoft documented that WhisperGate was executed on victim systems via Impacket — a Python toolkit for Windows network protocol implementations, widely used in legitimate security testing. The use of Impacket for lateral movement and remote execution is consistent with the broader pattern documented across Unit 29155 operations: preference for freely available tools over custom capabilities.

Target Profile

Ember Bear's target profile reflects the dual mandate of espionage and sabotage: Ukrainian government systems for direct disruption, and NATO member infrastructure for intelligence collection and disruption of Ukraine aid efforts.

• Ukrainian Government — Civilian Ministries: The January 2022 WhisperGate operation specifically targeted civilian government functions with no direct military value — the Ministry of Internal Affairs, State Treasury, Judiciary Administration, State Portal for Digital Services, Ministry of Education and Science, Ministry of Agriculture, Ministry of Energy, State Emergency Service, Accounting Chamber for Ukraine, State Forestry Agency, and Motor Insurance Bureau. The selection of civilian agencies rather than military systems reflects the operation's goal: maximizing disruption to Ukraine's government administration and creating psychological impact among the civilian population in advance of the invasion.
• Ukraine Transportation Infrastructure: In October 2022, the group hacked the transportation infrastructure of a Central European country that was supporting Ukraine — targeting the logistics network enabling Western military aid to reach Ukraine. The timing matches a documented October 2022 cyberattack in Denmark that caused mass outages across the country's railway network, though the DOJ has not publicly named the country.
• 26 NATO Member Countries: Between August 2021 and August 2024, Unit 29155 probed computer systems associated with 26 NATO member countries. The FBI observed more than 14,000 instances of domain scanning across these countries and several additional EU members. From early 2022, the primary focus of these NATO campaigns was "targeting and disrupting efforts to provide aid to Ukraine" — specifically disrupting the government and logistics systems of countries supporting Ukrainian defense.
• Countries in Europe, Latin America, and Central Asia: Beyond NATO members, Ember Bear conducted operations against targets in non-NATO European countries, Latin American nations, and Central Asian states — consistent with a broad mandate to collect intelligence on any country or entity relevant to Russian strategic interests and the Ukraine conflict.
• Ukrainian Patient Health Records: The DOJ indictment specifically noted that operators "exfiltrated sensitive data, including patient health records" from compromised Ukrainian systems — then posted defacements reading "Ukrainians! All information about you has become public, be afraid and expect the worst." The deliberate exposure and weaponization of private health data against the Ukrainian civilian population is consistent with Unit 29155's history of targeting civilians as a tool of psychological pressure.

Tactics, Techniques & Procedures

mitre id	technique	description
T1485	Data Destruction — WhisperGate Wiper	WhisperGate's core capability: irreversible destruction of target system data and bootability. Stage 1 overwrites the MBR eliminating boot capability; stage 3 corrupts 191 file extension types with no recovery mechanism. The wiper was executed via Impacket for remote lateral deployment across victim networks. The three-stage design — hosted partially on Discord CDN — demonstrates pre-operational planning and staging that preceded the deployment date by at least three days (build timestamps January 10 vs. deployment January 13).
T1491.001	Defacement — Internal / External Websites	Coordinated with the WhisperGate deployment, operators defaced approximately 80 Ukrainian government websites on January 14, 2022 — displaying threatening messages in Ukrainian, Russian, and Polish reading "Ukrainians! All information about you has become public, be afraid and expect the worst. This is for your past, present and future." Website defacements provide psychological impact and public visibility while creating attribution ambiguity and generating media coverage. The Polish-language component was likely a false-flag element suggesting the attack might be blamed on Polish actors.
T1190	Exploit Public-Facing Application	CISA's advisory documented that Unit 29155 cyber actors commonly exploit weaknesses in internet-facing systems — using publicly known CVEs for initial access. In one documented instance, operators exploited CVE-2021-33044 and CVE-2021-33045 (Dahua IP camera authentication bypass vulnerabilities) to gain initial access. The group uses Shodan and Acunetix to scan for vulnerable internet-facing systems and IoT devices, and executes exploitation scripts to authenticate to IP cameras with default credentials. This broad scanning and opportunistic exploitation approach is consistent with the unit's assessed junior-officer composition building field experience.
T1583	Acquire Infrastructure — VPN and Dark Web Tools	Unit 29155 cyber actors use VPNs to anonymize operational activity. Operators maintain accounts on dark web forums to acquire commodity hacker tools — including Raspberry Robin (USB worm) and SaintBot (malware loader) — as well as exploit code and credential material. The reliance on dark web procurement rather than in-house development is consistent with the FBI's assessment of a junior team building experience, and reflects the civilian criminal enabler element of the unit's composition.
T1550.002	Pass the Hash — ProxyChains Lateral Movement	CISA's technical analysis documented Unit 29155 using Pass-the-Hash via ProxyChains for lateral movement within victim networks. The technique harvests NTLM hashes from one system and reuses them to authenticate to other systems without requiring the plaintext password. Paired with ProxyChains to route the Pass-the-Hash traffic through intermediary systems, the technique makes lateral movement harder to trace to its origin. The group also used SSH/SSHPass executions and WMI with hash execution for remote system control.
T1567.002	Exfiltration to Cloud Storage — Rclone / mega.nz	In at least one documented instance following WhisperGate deployment, Unit 29155 exfiltrated data to mega.nz using Rclone — the open-source command-line cloud storage synchronization tool. This exfiltration-before-destruction sequence demonstrates that the unit prioritized intelligence value extraction from victim systems before triggering the wiper. Stolen data was then used for reputational harm operations: leaked publicly or sold, with specific reference to exfiltrated patient health records from Ukrainian healthcare systems.
T1588.001	Obtain Capabilities — Commodity Malware	The use of Raspberry Robin (a USB worm used as a malware loader and command-and-control tool) and SaintBot (a .NET-based malware loader) obtained from dark web forums reflects the unit's willingness to leverage existing criminal tooling rather than developing all capabilities in-house. This approach accelerates operational capability while adding attribution ambiguity — the presence of widely-distributed commodity malware in victim environments initially suggests criminal rather than state actor involvement.
T1213	Data from Information Repositories — Graphiron	From October 2022 through at least January 2023, Symantec documented the use of a previously unknown information-stealing malware called Graphiron targeting Ukrainian organizations. Graphiron was used to steal a wide range of data from infected machines including files, credentials, screenshots, and system information. Unlike WhisperGate (destructive) and website defacement (psychological), Graphiron represents the espionage component of the unit's mandate — persistent intelligence collection from Ukrainian targets alongside the destructive and reputational harm campaigns.

Known Campaigns

DOJ Indictment — September 2024

A superseding indictment unsealed on September 5, 2024 in the District of Maryland charged five GRU officers and one civilian with conspiracy to commit computer intrusion and wire fraud conspiracy. The indictment was part of Operation Toy Soldier — a named international law enforcement effort involving the FBI and 12 partner agencies from nine allied countries. The Department of State simultaneously announced a $10 million Rewards for Justice reward per named defendant — bringing the combined reward total across the Stigal indictment (June 2024, $10M) and the five GRU officers ($10M each) to up to $60 million, one of the largest combined reward announcements for cyber actors in US history. This was the first time the Unit 29155 cyber actors had been formally named publicly.

• Col. Yuriy Fedorovich Denisov: A colonel in the Russian military and the commanding officer of Cyber Operations for Unit 29155. The most senior charged individual, representing the first public charging of a Unit 29155 Cyber Operations commander.
• Lt. Vladislav Yevgenyevich Borovkov: GRU lieutenant and Unit 29155 cyber operator. Charged for his role in the WhisperGate conspiracy and subsequent NATO targeting campaigns.
• Lt. Denis Igorevich Denisenko: GRU lieutenant. Charged alongside Borovkov for participation in the WhisperGate and NATO operations.
• Lt. Dmitriy Yuryevich Goloshubov: GRU lieutenant. Named in the indictment for operations against Ukrainian and NATO targets.
• Lt. Nikolay Aleksandrovich Korchagin: GRU lieutenant. Named in the indictment covering the 2020–2024 conspiracy period.
• Amin Timovich Stigal (civilian): Born October 1, 2002 in Grozny, Chechnya. A Russian civilian and known cybercriminal, separately indicted in June 2024 for conspiracy to commit computer intrusion, and named again in the September 2024 superseding indictment. Stigal provided infrastructure support for Unit 29155's cyber operations — setting up systems for network scanning, password compromise, and data exfiltration. His involvement illustrates the unit's reliance on civilian cyber-criminal enablers alongside its GRU officer core. Notably, his father Tim Vakhaevich Stigal is also separately wanted by the US Secret Service for unrelated cybercrime activity. All six individuals are treated as fugitives; Russia does not have an extradition treaty with the United States.

Tools & Malware

• WhisperGate (PAYWIPE): The signature three-stage destructive wiper. Stage 1 (stage1.exe) overwrites the MBR and installs a fake ransom bootloader. Stage 2 (stage2.exe) downloads stage 3 from Discord CDN as a disguised JPG. Stage 3 corrupts 191 file extension types. No recovery mechanism. Designed to appear as ransomware while functioning as a data destroyer. Build date January 10, 2022; deployment January 13, 2022.
• Graphiron: A custom information-stealing malware documented by Symantec in October 2022–January 2023, attributed to UAC-0056 targeting Ukraine. Collects files, credentials, screenshots, and system metadata. Represents the group's intelligence collection capability running parallel to its destructive operations.
• SaintBot: A .NET-based malware loader obtained via dark web forums. Used as a malware delivery and staging tool within victim environments.
• Raspberry Robin: A USB worm-based malware loader obtained from criminal sources. Used for initial access and payload delivery in some operations.
• Impacket: Open-source Python toolkit for Windows network protocols, used for lateral movement and remote execution in the WhisperGate deployment and subsequent operations.
• Rclone: Open-source command-line cloud storage synchronization tool used for staging and exfiltrating data to mega.nz prior to wiper deployment.
• Acunetix / Shodan: Commercial and open-source scanning tools used for internet-facing infrastructure enumeration and vulnerability identification across NATO member and EU country targets.
• ProxyChains: Network proxy chaining tool used to route malicious traffic — including Pass-the-Hash lateral movement — through intermediate systems to complicate traffic attribution.

Indicators of Compromise

IOCs from CISA advisory AA24-249A (September 2024), Microsoft's January 2022 WhisperGate disclosure, CrowdStrike's Ember Bear attribution report, and the DOJ September 2024 indictment. The CISA advisory includes extended IOC tables (IP addresses, domains, hashes) in its appendices — the primary source for defender implementation.

Mitigation & Defense

Ember Bear / Unit 29155 is assessed as active, with operations confirmed through August 2024 in the indictment timeframe and continued advisory warnings from CISA, FBI, and NSA. The primary focus remains targeting entities supporting Ukraine and NATO member critical infrastructure. Organizations in government, defense, logistics, transportation, healthcare, and energy sectors across NATO member states are the highest-risk targets.

• Offline Immutable Backups — The Core Defense Against Wipers: WhisperGate and the broader family of destructive wipers used against Ukraine are designed to render systems permanently inoperable. The only effective defense against a wiper is having clean, offline backups that the wiper cannot reach. Implement the 3-2-1 backup rule (three copies, two media types, one offsite), and critically, ensure at least one backup copy is air-gapped — physically disconnected from networks that the threat actor could traverse. Test restoration procedures regularly. The Ukrainian government organizations that lost data to WhisperGate in January 2022 had no recovery path because the wiper left no data to recover. Offline backups create the recovery path that the wiper is designed to eliminate.
• MBR/Boot Sector Protection: WhisperGate's Stage 1 overwrites the master boot record to prevent system recovery after reboot. Enable Secure Boot and Trusted Platform Module (TPM) protections on all endpoints. Deploy endpoint security products that monitor for unauthorized MBR modifications — BitDefender, Windows Defender, and other EDR products can detect and alert on MBR write attempts from non-system processes. For Windows systems, enable Windows Defender Credential Guard and Device Guard to harden the boot environment.
• Block Execution of WhisperGate Delivery Infrastructure: Stage 2 of WhisperGate downloads the file wiper from Discord's CDN. Organizations that do not have a legitimate business need for Discord CDN access can block it at the network boundary. For organizations where Discord is used, implement TLS inspection to detect malware downloads disguised as JPG attachments. Monitor for Discord CDN connections from production servers and non-user systems — file servers, domain controllers, and application servers have no legitimate reason to contact Discord CDN.
• Patch IoT and Network Devices: Unit 29155 specifically exploited Dahua IP camera vulnerabilities (CVE-2021-33044, CVE-2021-33045) for initial access. Conduct a full IoT/OT device inventory in your environment. Ensure all IP cameras, VoIP systems, printers, and network-connected physical security systems are running current firmware, have non-default credentials, and are segmented from corporate networks. IoT devices are systematically scanned by Unit 29155 using Shodan-based automation — any device with factory default credentials or known unpatched vulnerabilities is an entry point.
• Credential Hygiene Against Pass-the-Hash: Unit 29155 uses Pass-the-Hash for lateral movement after initial access. Implement Protected Users security group membership for privileged accounts to prevent NTLM hash caching. Enable Credential Guard on Windows 10/11 and Windows Server to protect NTLM hashes in memory. Disable NTLMv1 entirely and restrict NTLMv2 where Kerberos is available as an alternative. Monitor for SMB authentication events from unusual source systems — lateral movement via Pass-the-Hash generates authentication events from hosts that would not normally authenticate to target systems.
• Monitor for Pre-Wiper Exfiltration Indicators: CISA documented that Unit 29155 exfiltrates data to mega.nz via Rclone before triggering WhisperGate. Any Rclone execution on production systems, and any connection from production systems to mega.nz or similar file-sharing services, should be treated as a high-priority alert. Implement data loss prevention (DLP) controls that alert on large-volume outbound transfers to consumer cloud storage services from server-class assets and alert on Rclone binary execution outside of authorized backup tooling.

Sources & Further Reading

Primary government documents, court filings, and vendor research used to build this profile. All claims trace to at least one source listed here.

• U.S. Department of Justice — Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government (September 5, 2024) — Operation Toy Soldier superseding indictment
• CISA / FBI / NSA — Russian Military Cyber Actors Target US and Global Critical Infrastructure, Advisory AA24-249A (September 5, 2024) — primary technical reference with TTPs, IOC appendices, and MITRE ATT&CK mapping
• U.S. Department of Justice — Russian National Amin Stigal Charged for Conspiring with Russian Military Intelligence (June 26, 2024) — initial Stigal indictment
• FBI — GRU 29155 Cyber Actors (Most Wanted listings, $10M reward per defendant)
• Microsoft MSTIC — Destructive Malware Targeting Ukrainian Organizations (January 15, 2022) — first public WhisperGate disclosure with technical analysis
• CrowdStrike — Technical Analysis of the WhisperGate Malicious Bootloader (March 30, 2022) — Ember Bear attribution and Stage 1 disassembly
• MITRE ATT&CK — Group G1003: Ember Bear (current canonical entry)
• Bellingcat — Skripal Poisoning Suspect "Boshirov" Identified as Colonel Anatoliy Chepiga (September 2018) — primary open-source investigation identifying Unit 29155 officers
• Wikipedia — GRU Unit 29155 (comprehensive kinetic and cyber operational history)