Threat actor · all actors
Saint BearG1031 state
🇷🇺 RU
aka Saint Bear, Storm-0587, TA471, UAC-0056, Lorec53
Last updated: 2026-07-03
About this actor
[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, [Saint Bot](https://attack.mitre.org/software/S1018), and information stealer, [OutSteel](https://attack.mitre.org/software/S1017) in campaigns. [Saint Bear](https://attack.mitre.org/groups/G1031) typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )(Citation: Cadet Blizzard emerges as novel threat actor) [Saint Bear](https://attack.mitre.org/groups/G1031) has previously been confused with [Ember Bear](https://attack.mitre.org/groups/G1003) operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
Source: MITRE ATT&CK
Activity timeline
No activity events recorded.
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
| No attributed CVEs. | |||||
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-3 | 14 / 26 | 54% |
SI-4 | 14 / 26 | 54% |
CM-2 | 12 / 26 | 46% |
CM-6 | 12 / 26 | 46% |
SI-7 | 12 / 26 | 46% |
SI-2 | 10 / 26 | 38% |
CA-7 | 9 / 26 | 35% |
CM-7 | 9 / 26 | 35% |
AC-6 | 8 / 26 | 31% |
AC-3 | 7 / 26 | 27% |
SI-10 | 7 / 26 | 27% |
AC-2 | 6 / 26 | 23% |
AC-4 | 6 / 26 | 23% |
IA-9 | 6 / 26 | 23% |
SC-44 | 6 / 26 | 23% |
Co-occurring actors
None.
Similar actors
Similar TTPs
Same nation-state
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00