diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2917230..fc735ba 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9164,7 +9164,26 @@
       },
       "uuid": "ad2d6946-1ec2-4d77-b864-39980af4e103",
       "value": "Killnet"
+    },
+    {
+      "description": "A group targeting UA state organizations using the GraphSteel and GrimPlant malware.",
+      "uuid": "c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f",
+      "value": "SaintBear",
+      "meta": {
+        "synonyms": [
+          "UNC2589",
+          "TA471",
+          "UAC-0056"
+        ],
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel",
+          "https://cert.gov.ua/article/38374",
+          "https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/",
+          "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/",
+          "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/"
+        ]
+      }
     }
   ],
-  "version": 218
+  "version": 219
 }