Turla & Gamaredon: Russian Hacking Groups Unveil Unprecedented Collaboration in Ukraine
ESET researchers have uncovered an unprecedented collaboration between two Russian-linked hacking groups, Turla and Gamaredon, in Ukraine. This discovery reveals a new level of cooperation among state-sponsored threat actors.
Over the past year and a half, ESET detected Turla on seven Ukrainian machines, a stark contrast to the hundreds or thousands compromised by Gamaredon. This suggests Turla targets specific machines with highly sensitive intelligence. In February, ESET found four cases where both groups compromised the same Ukrainian machines. Gamaredon deployed custom tools, while Turla installed its Kazuar v3 backdoor. This is the first documented collaboration between these two groups.
Turla, active since 2004, is renowned for sophisticated espionage operations against governments and diplomatic entities worldwide. Gamaredon, active since 2013, is Ukraine's most active state-sponsored threat actor, typically targeting government services and defense enterprises. ESET believes Gamaredon provides initial access to networks, which Turla then leverages to install its own implants. In at least one case, Turla used Gamaredon's infrastructure to remotely restart its malware. Gamaredon is known for spearphishing and using infected removable drives as entry points for compromise.
The person or entity presumably connected with the APT grouping Turla in this collaboration is the Russian domestic intelligence agency FSB. This connection and cooperation with the APT group Gamaredon have been confirmed in activities documented from early 2024 up to at least February 2025. This is not the first time Gamaredon has collaborated with another Russian-aligned actor, having previously worked with InvisiMole in 2020.
The discovery of Turla and Gamaredon's collaboration highlights the evolving tactics of state-sponsored threat actors. Their cooperation allows them to leverage each other's strengths, potentially increasing their effectiveness in cyber espionage. As these groups continue to adapt and collaborate, it is crucial for cybersecurity researchers and practitioners to stay vigilant and informed.
