>samit_hota
Back to adversary profiles
G1031HighActive

Saint Bear (G1031): Russian-Nexus Threat Actor Profile

Samit Hota·
Suspected Origin
Russia
Motivation
Espionage, Information Theft, Disruption
Aliases
Storm-0587, TA471, UAC-0056, Lorec53
Target Sectors
Government, Telecommunications, Critical Infrastructure, Energy, Financial, Media, Transportation, IT Service Providers, Law Enforcement, Non-profit and Non-governmental Organizations, Emergency Services
Associated Malware
Saint Bot, OutSteel, Cobalt Strike, GrimPlant, GraphSteel, Graphiron
#threat-actor#g1031

Overview

Saint Bear, tracked by MITRE ATT&CK as G1031, is a Russian-nexus threat actor that emerged in early 2021. This group is known for its persistent targeting of entities in Ukraine and Georgia, with a primary motivation centered on cyber espionage and information theft. While often operating under various aliases such as Storm-0587, TA471, UAC-0056, and Lorec53, Saint Bear is officially recognized as distinct from other Russian-linked groups like Ember Bear (G1003), despite some overlap in reported aliases by different security vendors. This distinction highlights unique behavioral profiles, tools, and targeting strategies that differentiate Saint Bear’s operations.

The group’s activities suggest a well-resourced and coordinated effort, frequently aligning with Russian geopolitical objectives. Beyond its primary focus regions, threat intelligence indicates a broader targeting scope for activity clusters that overlap with Saint Bear’s aliases, including government agencies, law enforcement, non-profit and non-governmental organizations, IT service providers, and emergency services across Europe, Central Asia, and periodically, Latin America, particularly targeting NATO member states providing aid to Ukraine. This expanded targeting underscores a strategic intent to gather intelligence and potentially disrupt operations relevant to Russia’s interests.

Tactics & Techniques

Saint Bear’s initial access heavily relies on social engineering, primarily spear-phishing campaigns and the staging of malicious websites. These campaigns often involve spoofing legitimate government or related entities, leveraging current political events, or exploiting themes related to the ongoing conflict in Ukraine to craft compelling lures. Victims are typically enticed to open malicious documents, often Microsoft Office files embedded with JavaScript, or click on links that lead to the download and execution of harmful payloads. The group has also been observed exploiting client application vulnerabilities, such as CVE-2017-11882 in Microsoft Office, to achieve code execution in target environments.

Upon gaining initial access, Saint Bear utilizes various techniques for execution and defense evasion. They extensively employ PowerShell, Windows Script Host (wscript), and Windows Command Shell to retrieve and execute follow-on malware. To maintain stealth, the group implements anti-analysis and anti-virtualization checks within its malware. Furthermore, Saint Bear actively attempts to disable or modify security tools, notably Windows Defender, by altering registry entries and scheduled tasks through malicious batch scripts. They have also been known to clone .NET assemblies and legitimate code signing certificates, such as one associated with “Electrum Technologies GmbH,” to obfuscate their initial loader payloads and appear more legitimate.

For command and control (C2), Saint Bear has leveraged infrastructure like the Discord content delivery network (CDN) to host malicious content, demonstrating adaptability in their operational infrastructure. Collection and exfiltration often involve document stealers and other malware designed to gather system information, credentials, screen content, and various files of interest. Lateral movement capabilities have been observed through the deployment of tools like Cobalt Strike beacons, allowing them to expand their foothold within compromised networks.

Notable Campaigns

Saint Bear has maintained consistent activity since early 2021, often adapting its lures and tooling to current events. Early campaigns in July 2021 saw the group deploying phishing documents, some in Georgian, that exploited local political hotspots to deliver information-stealing Trojans. These activities were correlated with earlier phishing attacks against the Ukrainian government, indicating a long-standing focus on these regions.

In February 2022, coinciding with the heightened geopolitical tensions, Saint Bear conducted spear-phishing attacks against Ukrainian organizations, deploying its signature Saint Bot and OutSteel malware. During early 2022, the group was also observed targeting various entities in Ukraine, including the private TV channel ICTV, using macro-embedded Excel documents and a bespoke tool known as the Elephant Framework. A notable campaign in early 2022 involved the use of a malicious binary masquerading as Ukrainian language translation software to deliver Cobalt Strike, GrimPlant, and GraphSteel malware.

Throughout 2022, UAC-0056 (an alias overlapping with Saint Bear and Ember Bear) continued to launch phishing campaigns against Ukrainian state bodies, distributing Cobalt Strike Beacon malware and utilizing war-themed lures. By February 2023, threat actors identified as TA471 (another Saint Bear alias) were observed targeting Ukrainian government websites, employing custom backdoors, web shells, and tunneling tools like CredPump, Ngrok, and Gost to facilitate infections. While Cadet Blizzard (DEV-0586), a GRU-sponsored group, has been linked to destructive activity and shares some aliases with Saint Bear’s activity clusters, it’s important to reiterate that Saint Bear itself is distinguished by its primary focus on espionage and information theft through tools like Saint Bot and OutSteel.

Associated Malware & Tools

Saint Bear leverages a diverse arsenal of custom and commodity malware, with a clear preference for information-stealing capabilities and remote access.

  • Saint Bot (S1018): A custom remote access tool (RAT) and downloader frequently observed in their spear-phishing campaigns. It can be customized to deploy various payloads, including information stealers.
  • OutSteel (S1017): A dedicated information stealer used to exfiltrate documents and other sensitive data from compromised systems.
  • Cobalt Strike: A commercially available penetration testing tool frequently abused by Saint Bear and its related activity clusters (e.g., UAC-0056) for post-exploitation activities, including lateral movement and establishing persistent access.
  • GrimPlant: A Go-based backdoor utilized by the group for covert access and control over infected machines.
  • GraphSteel: Another Go-based information stealer, often deployed alongside GrimPlant, designed to collect system information and credentials.
  • Graphiron: A newer, Go-based information stealer seen in recent campaigns. It’s capable of gathering a wide array of data, including system information, credentials, screen content, and files from infected computers.
  • Elephant Framework: An initial loader used in specific campaigns, notably against Ukrainian organizations.
  • Web shells: Employed for persistence on target networks and enabling command execution, particularly in campaigns targeting government websites.
  • Custom Loaders: The group utilizes custom loaders that sometimes feature cloned legitimate code signing certificates to evade detection.

Current Status

Saint Bear remains an active and persistent threat actor. The group has shown consistent activity since its emergence in early 2021, with various cybersecurity vendors and national CERTs tracking its operations through 2022 and 2023. MITRE ATT&CK’s profile for G1031 was last modified in August 2024, and other threat intelligence platforms show updates as late as October 2024, indicating ongoing monitoring and confirmed recent activity.

Activity clusters associated with Saint Bear, such as Storm-0587, are described as operating seven days a week, often conducting operations during target organizations’ off-business hours to minimize detection. While Ukraine and Georgia remain primary targets for espionage and information collection, the group’s evolving activities, particularly those linked to Cadet Blizzard/UAC-0056, indicate an expanding interest in critical infrastructure and governmental entities within NATO member states that are providing support to Ukraine. The continuous adaptation of their tactics, techniques, and procedures, coupled with the deployment of new malware strains like Graphiron, underscores Saint Bear’s ongoing commitment to its objectives and its capacity to pose a significant cyber threat.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call