kremlin-Linked Hackers Turla and Gamaredon Spotted Collaborating on Cyber Operations
Prague, Czech Republic – Security researchers at ESET have uncovered evidence of a collaboration between two highly active russian state-sponsored hacking groups, turla and Gamaredon, indicating a coordinated effort to compromise targets. The findings suggest Gamaredon is providing access to systems for Turla operators, potentially to target specific machines containing sensitive intelligence.
Both groups are believed to operate under the umbrella of Russia’s Federal Security Service (FSB), though within different divisions. ESET’s analysis points to Gamaredon granting Turla operators access to compromised systems to execute commands and deploy malware.
The collaboration was first observed in February,with four co-compromises detected in Ukraine. Gamaredon deployed a suite of tools – including PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin – while Turla installed Kazuar v3, its proprietary malware. ESET software on one compromised device directly observed Turla issuing commands through gamaredon’s implants.
“pterographin was used to restart Kazuar, possibly after Kazuar crashed or was not launched automatically,” ESET researchers stated. “Thus, PteroGraphin was probably used as a recovery method by Turla.” This represents the first technical link established between the two groups (see First chain: Restart of Kazuar v3).
Further evidence emerged in April and June, with ESET detecting Kazuar v2 installers being deployed via Gamaredon malware. While payloads could not be recovered due to ESET software being installed post-compromise, the firm believes this reinforces the active collaboration.
Gamaredon has a history of working with other hacking groups, including InvisiMole, as documented in 2020. Given Gamaredon’s broad reach – compromising potentially thousands of machines - ESET speculates Turla is selectively targeting systems likely to hold highly sensitive intelligence.
