Also known as: BlackEnergy, Electrum, Iridium
Believed to operate out of: Eastern Europe
Usual targets: Ukraine
Behavior: Sandworm has been known to appear then disappear in waves with its attacks, which primarily target Ukraine, and experts agree we'll see more of these attacks in 2018. The group frequently uses spearphishing and has recently begun targeting the supply chain, a move likely to increase its target base, says Hultquist. While Ukraine is its primary target for ICS/SCADA attacks, there's always a chance Sandworm will broaden its reach. It previously researched a potential attack on US utility systems.
"Given that this activity doesn't appear to be declining or shrinking, the danger of them shifting and targeting outside Ukraine continues to increase," says Hultquist. "That could have serious repercussions for corporations operating all around the world."
Tied to: Ukraine power grid attacks of December 2015 and December 2016 .
Hultquist and other security researchers have also linked the group to last summer's NotPetya attack, a destructive campaign which also primarily targeted Ukraine.
(Image: Rootstock via Shutterstock)