Russian spy groups Turla, Gamaredon join forces to hack Ukraine, researchers say

Researchers have uncovered what they say is the first documented collaboration in Ukraine between two of Moscow’s most notorious hacking groups — Turla and Gamaredon — both linked to Russia’s Federal Security Service (FSB).

Gamaredon, active since at least 2013 and believed to operate from the Russian-annexed Crimean peninsula, remains Ukraine’s most active state-sponsored threat actor, according to Ukrainian officials. It typically targets government services and defense enterprises. 

Turla, active since at least 2004, is known for sophisticated espionage operations against governments and diplomatic entities in Europe, Central Asia and the Middle East.

In February, Slovak cybersecurity firm ESET said it had detected four cases in which both groups compromised the same Ukrainian machines. Gamaredon deployed a range of its custom tools — including PteroLNK, PteroStew, PteroOdd, PteroEffigy and PteroGraphin — while Turla installed its Kazuar v3 backdoor.

In at least one case, researchers observed Turla remotely restarting its malware via a Gamaredon implant, effectively using its counterpart’s infrastructure as a support system. “This is the first time that we have been able to link these two groups together via technical indicators,” ESET said in a report on Friday.

While the initial method of compromise is unclear, Gamaredon is known for spearphishing and the use of infected removable drives, which researchers consider the most likely entry points.

Over the past year and a half, ESET said it detected Turla on seven Ukrainian machines, compared with hundreds or thousands compromised by Gamaredon. “This suggests that Turla is interested only in specific machines, probably ones containing highly sensitive intelligence,” researchers added.

It is not the first time Gamaredon has collaborated with another Russian-aligned actor. In 2020, researchers observed its infrastructure being used by the InvisiMole group. Turla, for its part, has a history of hijacking other groups’ infrastructure to infiltrate targets. ESET believes that Gamaredon appears to provide initial access to networks, which Turla then leverages to install its own implants.

According to researchers, the two FSB units commonly associated with Turla and Gamaredon have a long history of reported collaboration, which can be traced back to the Cold War era.

“In this context, it is perhaps not entirely surprising that APT groups operating within these two FSB Centers are observed cooperating to some extent,” ESET said.