It is an active economic and political cyber espionage operation that targets a wide range of high-profile entities, from government institutions to media personalities. Its activities were first seen as far back as 2004, but recent developments have revealed more concrete details about the operation itself, including its origins and targets.
Regin, first identified in 2008, is a highly complex threat used by the APT group for large-scale data collection and intelligence-gathering campaigns. The development and operation of this threat would have required a significant investment of time and resources. Threats of this nature are rare and the discovery of Regin serves to highlight how significant investments continue to be made into the development of tools for use in intelligence-gathering. Many components of the Regin tools remain undiscovered, and additional functionality and versions may exist.
Potato Group. The group behind the most known “Operation Potato Express” (here). The group mostly operates targeting Russia, Belarus and Ukraine Govs and news agencies. The attacks were used even to spy members of MMM, a Ponzi scheme company popular in Russia
The attacks conducted using the Win32/Potao malware family span the past 5 years, the first detections dating back to 2011. The attackers are, however, still very active, with the most recent infiltration attempts detected by ESET in July 2015.
Waterbug. Discovered and described by Symantec (here) Waterbub was operating since 2005.
Waterbug is likely a state-sponsored group which uses an attack network (“Venom”) that consists of 84 compromised domains (websites). The watering-hole websites used by the Waterbug group are located in many different countries. The greatest number of compromised websites are found in France (19%), Germany (17%), Romania (17%), and Spain (13%).
DragonFly. Discovered and firstly mitigated by Symantec (here) the group mainly attacks Energy Suppliers:
Dragonfly, likely a group of hackers operating out of Eastern Europe since 2011, bears the hallmarks of a state-sponsored operation. Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone.
Sandworm. Known for its most famous (so far) APT called BlackEnergy (here). Built from Russia against Ukraine during the political conflict Sandworm is a skilled group specialised in SandBox evasion tricks and documents (OLE) worms.
GovRat. Group behind several Governmental attacks and Discoverd and Mitigated by infoArmor (here)
Several English-speaking developers began creating custom malware and using it as a group in 2015. GovRAT is the name they gave the malware – which is used primarily for cyber espionage, and is also the code name of the group, the hackers using it for infections.
Among these groups plenty of famous smallest and biggest groups are out there, some of there are notorious as well while some other are stille hidden, so please consider that list incomplete and based on personal experiences and not on scientific review process.