From 991765a1c749d2149bfeddf04a12d387816fc7c6 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:02:05 -0800
Subject: [PATCH] [threat-actors] Add SaintBear aliases

---
 clusters/threat-actor.json | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4e618c4..d95aae4 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -10269,6 +10269,7 @@
     {
       "description": "A group targeting UA state organizations using the GraphSteel and GrimPlant malware.",
       "meta": {
+        "country": "RU",
         "refs": [
           "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel",
           "https://cert.gov.ua/article/38374",
@@ -10277,7 +10278,8 @@
           "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/",
           "https://unit42.paloaltonetworks.com/atoms/nascentursa/",
           "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer",
-          "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/"
+          "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
+          "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/"
         ],
         "synonyms": [
           "UNC2589",
@@ -10285,7 +10287,10 @@
           "UAC-0056",
           "Nascent Ursa",
           "Nodaria",
-          "FROZENVISTA"
+          "FROZENVISTA",
+          "Storm-0587",
+          "DEV-0587",
+          "Saint Bear"
         ]
       },
       "uuid": "c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f",