RUG1003

SaintBearSaintBear

Also known as: UNC2589 · TA471 · UAC-0056 · Nascent Ursa · Nodaria · FROZENVISTA · Storm-0587 · DEV-0587 · Saint Bear · Lorec53 · EMBER BEAR · Lorec Bear · Bleeding Bear · Cadet Blizzard · SaintBear

Origin
RU
Known aliases
15

Profile

SaintBear is a Russian-attributed threat actor catalogued by MISP-Galaxy (MISP-Galaxy v341). The group is also tracked as UNC2589, TA471, UAC-0056 (and 11 more). Original record: A group targeting UA state organizations using the GraphSteel and GrimPlant malware.

Aliases· 15

UNC2589TA471UAC-0056Nascent UrsaNodariaFROZENVISTAStorm-0587DEV-0587Saint BearLorec53EMBER BEARLorec BearBleeding BearCadet BlizzardSaintBear

MITRE ATT&CK Group crosswalk

G1003

References

  1. https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel
  2. https://cert.gov.ua/article/38374
  3. https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/
  4. https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/
  5. https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/
  6. https://unit42.paloaltonetworks.com/atoms/nascentursa/
  7. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer
  8. https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
Boulder Bear
Actor
ENERGETIC BEAR
Actor
SpaceBears
Actor
Void Blizzard
Actor
APT28
Software
Saint Bot
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.