Russia’s most prominent hacking units, Turla and Gamaredon, are believed to have recently collaborated on malware attacks targeting devices in Ukraine. Security researchers, including those from the firm ESET, spotted the groups’ malware on the same systems, suggesting a coordinated effort. While both groups are widely believed to be part of the Russian Federal Security Service (FSB), this joint operation is a notable development.
Turla is considered one of the world’s most advanced hacking groups. They are known for their discreet, highly targeted attacks on high-value adversaries, which have included the US Department of Defense, the German Foreign Office, and the French military. This group is also known for its innovative tactics, such as using stealthy Linux malware and satellite-based internet to maintain a low profile.
In contrast, Gamaredon is an advanced persistent threat (APT) that conducts widespread, less subtle operations, often focusing on targets in Ukraine. Unlike Turla, which works to avoid detection, Gamaredon doesn’t seem to care about being linked to the Russian government. Their malware is designed to quickly collect as much information as possible from a large number of targets.
Given their different operational styles, the collaboration between the two groups is unusual. While it’s possible that Turla hijacked Gamaredon’s infrastructure in a hostile takeover, a tactic they have used before, ESET’s most likely hypothesis is that the two groups are working together. According to ESET, Gamaredon likely provided Turla access to specific machines, allowing them to install their own proprietary malware.
This collaboration was observed in February, when ESET researchers identified four separate instances of co-compromised machines in Ukraine. In these cases, Gamaredon deployed its own suite of tools, while Turla installed its proprietary malware, Kazuar. On one machine, ESET’s software even observed Turla issuing commands through the Gamaredon implants, providing a clear indication of a joint operation. This isn’t the first time Gamaredon has collaborated, but this incident shows a new, high-level cooperation between two different FSB units.
Reference:
