Menu
Browse

Cyber Threat Actor: UNC2903

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
0 incidents
Profile

UNC2903 and UNC4166, also tracked as UAC-0056, Ember Bear, Lorec53, SaintBear, UNC2589, and TA471, operate with a primary focus on Ukrainian government entities and critical infrastructure. Their activities align with strategic objectives including cyberespionage, data theft, and disruptive attacks, particularly during periods of heightened geopolitical tension. The group has targeted Ukrainian central and local government websites, energy providers, and media organizations such as ICTV. Secondary targeting extends to North American and Western European organizations, though with less frequency. Operations frequently involve credential harvesting, network compromise, and the deployment of data-wiping malware to impair organizational functions.

This actor employs diverse initial access vectors, including phishing emails with malicious macro-embedded Excel documents, exploitation of vulnerabilities in Zimbra (CVE-2018-6882) and October CMS (CVE-2021-32648), and web shells planted on compromised websites. Malware tooling includes the Elephant framework (Dropper, Downloader, Implant, Client), GrimPlant and GraphSteel backdoors, Cobalt Strike Beacon, and wipers such as WhisperGate and CaddyWiper. The group leverages stolen Microsoft certificates for code signing, Go-based malware for payload delivery, and tunneling utilities like GOST and Ngrok for command-and-control infrastructure. Publicly reported campaigns include the December 2021 compromise of Ukrainian government websites using backdoors deployed months prior, the January 2022 WhisperGate wiper attack against Ukrainian government systems, and March 2022 phishing campaigns distributing IcedID malware. Ukrainian and international analysts attribute these activities to Russian state interests based on targeting patterns and coordination with geopolitical events.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
9 sources