🇷🇺

SaintBear

APT Group Information theft and espionage Sabotage and destruction 8 zero-day CVEs ETDA ✓

Also Known As 14 names

Bleeding Bear Cadet Blizzard DEV-0587 EMBER BEAR FROZENVISTA Lorec Bear Lorec53 Nascent Ursa Nodaria Saint Bear Storm-0587 TA471 UAC-0056 UNC2589

Target Countries 3

Countries highlighted in red

Georgia Ukraine United States

Sectors Targeted

Financial Media Government Transportation Computer Systems Design and Related Services 54151 Internet Publishing and Broadcasting and Web Search Portals 51913 Energy Periodical Publishers 51112

Details

Origin 🇷🇺 RU

Last Updated 01 Jun 2022

Malware Families 3

saint_bot

dnwipe

pas

MITRE ATT&CK 102

T1003 - OS Credential Dumping T1003.001 T1003.002 T1003.004 T1005 T1018 T1021 T1027 T1027.002 T1027.013 T1036 T1036.005 T1046 - Network Service Scanning T1047 T1049 T1053 T1053.005 T1059 - Command and Scripting Interpreter T1059.001 T1059.003 T1059.007 T1070 T1070.004 T1071 - Application Layer Protocol T1071.001 T1071.004 T1078 - Valid Accounts T1078.001 T1082 T1083 T1090 - Proxy T1090.003 T1095 - Non-Application Layer Protocol T1105 - Ingress Tool Transfer T1110 - Brute Force T1110.003 T1112 T1113 T1114 - Email Collection T1115 T1119 T1123 T1125 - Video Capture T1133 T1137 T1190 - Exploit Public-Facing Application T1195 T1203 T1204 T1204.001 T1204.002 T1210 T1213 - Data from Information Repositories T1218 T1485 - Data Destruction T1486 T1491 T1491.002 T1495 T1497 T1505 - Server Software Component T1505.003 T1550 - Use Alternate Authentication Material T1550.002 T1552 - Unsecured Credentials T1552.001 T1553 T1553.002 T1555 T1560 - Archive Collected Data T1561 T1561.002 T1562 T1562.001 T1566 T1566.001 T1567 - Exfiltration Over Web Service T1567.002 T1570 T1571 T1572 - Protocol Tunneling T1583 - Acquire Infrastructure T1583.003 T1583.006 T1585 T1588 - Obtain Capabilities T1588.001 T1588.005 T1589 T1589.002 T1590 - Gather Victim Network Information T1595 - Active Scanning T1595.001 T1595.002 T1596 - Search Open Technical Databases T1608 T1608.001 T1654 T1656 T1684 T1684.001 T1685

Related Zero-Days 8

CVE-2020-1472 CVE-2021-40444 CVE-2022-26134 CVE-2022-26138 CVE-2022-30190 CVE-2022-3236 CVE-2023-0669 CVE-2023-38831

Known Names 11 entries

SaintBear ThreatBook

Ember Bear CrowdStrike

TA471 Proofpoint

UNC2589 FireEye

Lorec53 NSFOCUS

UAC-0056 CERT-UA

Nodaria Symantec

FROZENVISTA Google

Storm-0587 Microsoft

Nascent Ursa Palo Alto

G1003 MITRE

Observed Target Countries 3

Based on ETDA data — countries highlighted in red

Georgia Ukraine USA

Description

(NSFOCUS) In July 2021, several phishing documents created in Georgian were discovered by NSFOCUS Security Labs. In these phishing documents, the attackers used current political hotspots in Georgia to create bait and deliver a secret stealing Trojan to specifically targeted victims aiming to steal various documents from their computers. Correlation analysis shows that this phishing campaign and an earlier phishing attack against the Ukrainian government came from the same unknown threat entity, most likely composed of Russian hackers. From April to July of 2021, the group launched several phishing attacks applying a large number of network resources located in Russia. In order to facilitate ongoing tracking, NSFOCUS Security Labs has tentatively dubbed the hacker group Lorec53 by extracting special names from related Trojans.

Tools Used 6

Cobalt Strike Graphiron GraphSteel GrimPlant OutSteel SaintBot

Operations 4

2022-02 Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/

2022-03 Ukraine’s CERT Warns Threat Actors For Fake AV Updates https://www.socinvestigation.com/ukraines-cert-warns-russian-threat-actors-for-fake-av-updates/

2022-03 Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/

2022-10 Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer

Reports & References 3

https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/ https://www.crowdstrike.com/blog/who-is-ember-bear/ https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

ETDA Profile

SaintBear, Lorec53

Origin

Russia

First Seen 2021

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G1003/

View on ETDA APT Groups ↗