Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
UNC2589, also known as Frozenvista, is a threat actor that emerged as a significant cybersecurity concern in 2021. Notably linked to the Russian Armed Forces' Main Directorate of the General Staff (GRU), this group started deploying phishing attacks against Ukrainian organizations from April 2021, a month after Russian troops began massing on the Ukraine border. This Advanced Persistent Threat (APT) group is considered a new and probable GRU actor, underscoring its potential for severe cyber espionage activities. In addition to UNC2589, other groups such as APT28, associated with Russian military intelligence, were observed conducting extensive information collection and disinformation operations. These activities escalated prior to Russia's invasion of Ukraine in February 2022. The threat landscape was not limited to Russian actors; Mandiant also observed activity by Chinese, Belarusian, and Iranian threat groups targeting Ukraine, indicating a complex and multifaceted cyber warfare environment. The government experts have attributed these cyberattacks to various groups including UAC-0056, DEV-0586, Nodaria, or Lorec53, alongside UNC2589. These groups have been implicated in numerous instances of cyberattacks, demonstrating a broad and persistent threat to Ukraine's cybersecurity infrastructure. The concerted efforts of these threat actors underline the strategic use of cyber warfare tactics in geopolitical conflicts.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Lorec53, also known as UAC-0056, TA471, SaintBear, and Ember Bear, is a threat actor group associated with numerous cyberattacks, particularly against Ukraine and Georgia. This group has been identified by various cybersecurity organizations, each using a different moniker to track its activities. T
DEV-0586, also known as "Cadet Blizzard," is a threat actor identified and tracked by Microsoft Threat Intelligence. This entity is suspected to be a Russian state-sponsored group, utilizing a variety of techniques, tools, and infrastructure to carry out cyberattacks with malicious intent. The namin
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the UNC2589 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
Google Report Reveals Russia's Elaborate Cyber Strategy in Ukraine
a year ago
CERT of Ukraine: Russia-linked APT backdoored multiple govt sites
CSO Online
a year ago
Businesses detect cyberattacks faster despite increasingly sophisticated adversaries
a year ago
3 Flaws, 1 War Dominated Cyber-Threat Landscape in 2022