Cyber Resilience

Threat actor · all actors

Saint BearG1031 state

🇷🇺 RU

aka Saint Bear, Storm-0587, TA471, UAC-0056, Lorec53

Last updated: 2026-07-03

0attributed CVEs
26ATT&CK techniques
0.0IDF score (tooling uniqueness)
0exclusive CVEs
years active

About this actor

[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, [Saint Bot](https://attack.mitre.org/software/S1018), and information stealer, [OutSteel](https://attack.mitre.org/software/S1017) in campaigns. [Saint Bear](https://attack.mitre.org/groups/G1031) typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )(Citation: Cadet Blizzard emerges as novel threat actor) [Saint Bear](https://attack.mitre.org/groups/G1031) has previously been confused with [Ember Bear](https://attack.mitre.org/groups/G1003) operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.

Source: MITRE ATT&CK

Activity timeline

No activity events recorded.

Profile

CVERiskCVSSEPSSPublishedProducts
No attributed CVEs.

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-314 / 2654%
SI-414 / 2654%
CM-212 / 2646%
CM-612 / 2646%
SI-712 / 2646%
SI-210 / 2638%
CA-79 / 2635%
CM-79 / 2635%
AC-68 / 2631%
AC-37 / 2627%
SI-107 / 2627%
AC-26 / 2623%
AC-46 / 2623%
IA-96 / 2623%
SC-446 / 2623%

Co-occurring actors

None.

Similar actors