ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > SaintBear, Lorec53

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: SaintBear, Lorec53

NamesSaintBear (ThreatBook)
Ember Bear (CrowdStrike)
TA471 (Proofpoint)
UNC2589 (FireEye)
Lorec53 (NSFOCUS)
UAC-0056 (CERT-UA)
Nodaria (Symantec)
FROZENVISTA (Google)
Storm-0587 (Microsoft)
Nascent Ursa (Palo Alto)
CountryRussia Russia
MotivationInformation theft and espionage
First seen2021
Description(NSFOCUS) In July 2021, several phishing documents created in Georgian were discovered by NSFOCUS Security Labs. In these phishing documents, the attackers used current political hotspots in Georgia to create bait and deliver a secret stealing Trojan to specifically targeted victims aiming to steal various documents from their computers. Correlation analysis shows that this phishing campaign and an earlier phishing attack against the Ukrainian government came from the same unknown threat entity, most likely composed of Russian hackers. From April to July of 2021, the group launched several phishing attacks applying a large number of network resources located in Russia. In order to facilitate ongoing tracking, NSFOCUS Security Labs has tentatively dubbed the hacker group Lorec53 by extracting special names from related Trojans.
ObservedSectors: Energy, Financial, Government, Media, Transportation.
Countries: Georgia, Ukraine, USA.
Tools usedCobalt Strike, Graphiron, GraphSteel, GrimPlant, OutSteel, SaintBot.
Operations performedFeb 2022Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
<https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/>
Mar 2022Ukraine’s CERT Warns Threat Actors For Fake AV Updates
<https://www.socinvestigation.com/ukraines-cert-warns-russian-threat-actors-for-fake-av-updates/>
Mar 2022Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
<https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/>
Oct 2022Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine
<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer>
Information<https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/>
<https://www.crowdstrike.com/blog/who-is-ember-bear/>
<https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf>
MITRE ATT&CK<https://attack.mitre.org/groups/G1003/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=nascentursa>

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]