Ember Bear, a very active group of Russian cybercriminals

As fears escalate over the prospect of a Russian government-initiated “cyberwar,” the number of state-backed cybercriminal groups is also growing. Crowdstrike discovered one named Ember Bear (also known as UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear). According to the cybersecurity firm, Ember Bear is believed to be an intelligence collection group that has operated against government and military organizations in Eastern Europe since early 2021. According to intelligence from Crowdstrike, the Russian group appears “motivated to exploit access and data obtained during their intrusions in order to support military information operations (IO). These operations aim to create public distrust of the targeted institutions and degrade the government’s ability to counter Russian cyber operations.

Ember Bear is believed to have been behind the WhisperGate malware against Ukrainian networks in January, before the invasion. This malware pretends to be ransomware but does not have a payment or data recovery mechanism. It hides its real intention, which is the destruction of data. The campaigns began with defacements of websites containing threatening messages in Ukrainian, Russian and Polish. Despite its connection to Russia, the group differs from its more well-known siblings, such as Fancy Bear or Voodoo Bear, because CrowdStrike cannot link it to a specific Russian organization. The target profile, intent assessment, and technical tactics, techniques, and procedures are consistent with other Russian General Intelligence Directorate (GRU) cyber operations.

Russian cyber threat activity on the rise

Before a House Homeland Security Committee hearing on Russian cyber threats, Adam Meyers, senior vice president for intelligence at CrowdStrike, said that “when Russia started gathering forces on the Ukrainian border , Russian cyber threat activity has increased”. As noted by Adam Meyers, a host of other attacks have followed WhisperGate’s campaigns, including DDoS or attacks against satellite networks.

In addition to these efforts, groups have taken sides in the conflict, and a range of hacktivist organizations have entered the fray. Despite this level of activity, Russia has not launched high profile cyberattacks so far in this war. But, according to Meyers, “there are indications that Russia may become more aggressive in retaliation for foreign support for Ukraine and significant sanctions imposed on Russian personnel and entities.”

Real-time information sharing

Speaking at the same hearing, Kevin M. Morley, head of federal relations at the American Water Works Association (Awwa), said “recent federal recommendations on how to mitigate Russian cyber threats have been invaluable” . He adds, “The water industry has been an active participant in numerous information sessions hosted by CISA and the U.S. Environmental Protection Agency (EPA), which highlight evolving threats and help professional organisations, such as the Awwa, to sensitize their members. Working with industry partners, the EPA reached out to 58,000 vendors collectively serving approximately 300 million Americans about cyber threat concerns as of the end of December 2021. This led to several information sessions at the sector-level events organized by the EPA to share information on Russian cyber threat activity,” Morley said.

Steven Silberstein, CEO of the Financial Services Information Sharing and Analysis Center, said the consortium applauds the Biden-Harris administration for its regular monitoring and early and early sharing of information throughout the escalating geopolitical situation in Eastern Europe and Russia’s invasion of Ukraine. This industry consortium dedicated to reducing cyber risks in the global financial system notably hailed the paradigm shift from reactive warnings to proactive warnings providing for Russian military action.

US collective security impacted

Finally, Amit Yoran, CEO of Tenable, also praised the administration’s efforts to help companies deal with Russian cyber threats, but said that “for almost all organizations, cybersecurity risk management practices are the whether the attack comes from the Russians, other nation states, cybercriminals or other bad actors”. “Representatives have certainly understood that there is something new happening vis-à-vis CISA and JCDC [Joint Cyber Defense Collaborative de la CISA]public-private information sharing and its importance to the collective security of the United States,” says Adam Meyers of CrowdStrike.

Regarding Ember Bear and why the publisher went public with what it knows about the group, Meyers says, “We looked at this adversary who had engaged in multiple attacks in Eastern Europe and sabotage campaigns in Ukraine, keeping things in-house or going public. Things have changed, and we wanted to share this information so others can follow this group and understand how it operates and what its goals are.”

Russian escalation against the West is considered

As to why Russia has not engaged in harmful cyber activity, Meyers says that “widespread and destructive cyber attacks in Ukraine would have been contrary to Russian information operations and psychological warfare efforts against the Ukrainian people. They needed the systems and infrastructure to be up and running to be able to deliver different messages in the media, whether for psychological purposes or to disrupt or create misinformation to the general public and the military.” Given the changing dynamics in Ukraine, “at some point it may become moot,” says Adam Meyers. “They may decide that they no longer wish to carry out disinformation operations against Ukraine, and that it is more advantageous for them to carry out disruptive operations”.

Ukraine could very well become the least of Russia’s digital battlegrounds. “The big concern becomes the escalation against the West. At some point, the calculation might be that it is more beneficial to carry out a disruptive attack on the United States in order to affect some kind of political or ideological message”. Meanwhile, at least one panel member plans to introduce new legislation aimed at bolstering cybersecurity for satellite operators following the Russian cyberattack on satellite provider Viasat. During the hearing, Rep. Tom Malinowski (D-NJ) said he will soon introduce legislation that “will allow satellite operators to better protect themselves against cyberattacks.”