At the beginning of the invasion of Ukraine, we released a security advisory with recommendations based on different risk tiers. Since then, our Threat Intelligence (TI) and Managed Detection and Response (MDR) teams have been actively monitoring the situation and identifying active threats. Not surprisingly, the highest risk group contains businesses and organizations located in Ukraine, especially government entities and critical infrastructure.
One of the groups actively engaged in pro-Russian cyber-attacks is UAC-0056. This group has been active since at least March 2021, and its primary objective seems to be cyber espionage with a focus on key state sectors. Other names for this group are Lorec53, UNC2589, EmberBear, LorecBear, BleedingBear, SaintBear, and TA471.
This group has been associated with attacks using OutSteel and GraphSteel stealers (malicious software designed to steal data). OutSteel was written in the AutoIt language, while GraphSteel was written in the Go language (often referred to as Golang). While both languages are known for their ease of use, AutoIt is a simpler language often used by system administrators and scripters. The behavior of Go-based GraphSteel is also more sophisticated – while its primary purpose is