The Sandworm team that began activity in 2009.

AKA – Voodoo Bear, Black Energy, Quedagh, TeleBots, Electrum

Pro-Russia hackers, either state sponsored, state-motivated

Targets:
Ukrainian Government
Energy
Media
Telecom Companies
Academic Institutions
Industrial Control Systems
Supervisory Control and Data Acquisition (SCADA)
Defense Industry, Govt in US, POLAND, other NATO

OBJECTIVES:
Gather Intelligence-Harvest SSL Keys

NOTABLE EVENTS

2010 – BlackEnergy2 used against industrial control networks in Ukraine

2014 – BlackEnergy2 U.S. critical infrastructure

2015-2016 – Two cyberattacks resulting in blackouts-BlackEnergy3
Prykarpattyaoblenergo

2015 – Attacks on new companies during Ukrainian 2015 elections

2015 – Attacks on Ukrainian government organizations, railway firms, media outlets,

2017 – malware, disguised as ransomware named NotPetya, infrastructure and attack patterns matched previous Sandworms.

Sandworm works closely with APT28 yet APT28 makes its own malware and 0DayE, Sandworm uses open purchase items.

TURLA

Another group associated with APT28 is Turla

Also known as Snake, Uroburos, Venomous Bear, Waterbug

Targets:

Government
Military
Education
Research
Pharmaceutical Sectors

Windows environment, but sometimes Linux targets

METHODS/TACTICS

Watering Hole sites
Spear Phishing

Know victims:
U.S. Department of Defense, 2008
Two European Foreign Offices
Defense Contractors
Germany’s Federal Foreign Office
Germany’s Federal College and Public Administration

CYBERBERKUT

Pro-Russian Ukrainian hactivists, supposedly – UK thinks it is really GRU