Names | SaintBear (ThreatBook) Ember Bear (CrowdStrike) TA471 (Proofpoint) UNC2589 (FireEye) Lorec53 (NSFOCUS) UAC-0056 (CERT-UA) Nodaria (Symantec) FROZENVISTA (Google) Storm-0587 (Microsoft) Nascent Ursa (Palo Alto) | |
Country | Russia | |
Motivation | Information theft and espionage | |
First seen | 2021 | |
Description | (NSFOCUS) In July 2021, several phishing documents created in Georgian were discovered by NSFOCUS Security Labs. In these phishing documents, the attackers used current political hotspots in Georgia to create bait and deliver a secret stealing Trojan to specifically targeted victims aiming to steal various documents from their computers. Correlation analysis shows that this phishing campaign and an earlier phishing attack against the Ukrainian government came from the same unknown threat entity, most likely composed of Russian hackers. From April to July of 2021, the group launched several phishing attacks applying a large number of network resources located in Russia. In order to facilitate ongoing tracking, NSFOCUS Security Labs has tentatively dubbed the hacker group Lorec53 by extracting special names from related Trojans. | |
Observed | Sectors: Energy, Financial, Government, Media, Transportation. Countries: Georgia, Ukraine, USA. | |
Tools used | Cobalt Strike, Graphiron, GraphSteel, GrimPlant, OutSteel, SaintBot. | |
Operations performed | Feb 2022 | Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot <https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/> |
Mar 2022 | Ukraine’s CERT Warns Threat Actors For Fake AV Updates <https://www.socinvestigation.com/ukraines-cert-warns-russian-threat-actors-for-fake-av-updates/> | |
Mar 2022 | Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign <https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/> | |
Oct 2022 | Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine <https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer> | |
Information | <https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/> <https://www.crowdstrike.com/blog/who-is-ember-bear/> <https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf> | |
MITRE ATT&CK | <https://attack.mitre.org/groups/G1003/> | |
Playbook | <https://pan-unit42.github.io/playbook_viewer/?pb=nascentursa> |
Last change to this card: 10 March 2024
Download this actor card in PDF or JSON format
Previous: Safe
Next: Samurai Panda
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |