ESET has reported a likely collaboration between two Russian hacking groups, Turla and Gamaredon, suggesting they were working together in recent cyber operations targeting Ukrainian systems. The speculation arises from their shared affiliations with the Federal Security Service (FSB) of Russia, albeit from different centers within the organization. According to ESET, Gamaredon facilitated access for Turla operators, enabling them to execute commands on specific machines to restart Kazuar, their proprietary malware, and to deploy Kazuar v2 on additional systems.
Previously, Gamaredon has been noted for its alliances with other hacking entities; notably, in 2020, collaboration was observed with a group tracked by ESET under the name InvisiMole. In February, ESET’s team detected four separate incidents of co-compromises involving Gamaredon and Turla in Ukraine, where a variety of malware tools were deployed. These included assets tagged as PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin from Gamaredon, while Turla introduced version 3 of Kazuar.
Analysis revealed that compromised devices monitored by ESET software showed Turla issuing commands via Gamaredon’s implants. Specifically, the PteroGraphin tool was utilized to restart Kazuar, possibly as a recovery measure following a malfunction. This connection marks a significant technical linkage between the two groups, highlighting their operational interdependence.
In subsequent months, particularly in April and June, ESET observed Gamaredon deploying installers for Kazuar v2. Due to the timing of ESET’s software installation post-compromise, recovery of the full payloads was not feasible. However, ESET remains convinced that a robust collaborative effort is underway between these hacker groups. With Gamaredon reportedly compromising hundreds, if not thousands, of systems, the underlying implication is that Turla is targeting select machines, likely those housing sensitive information.
The tactics employed in these operations can be contextualized using the MITRE ATT&CK framework. Potential relevant tactics include initial access through phishing or exploitation of vulnerabilities, persistence via backdoors installed on compromised systems, and privilege escalation to gain enhanced access to targeted environments. The shared resources and strategic actions by Turla and Gamaredon underscore a sophisticated approach aimed at extracting intelligence from high-value targets while deploying a diverse array of malware to maintain their foothold within compromised networks.
As cyber threats continue to evolve, the interconnectedness of these groups exemplifies the challenges faced by organizations in safeguarding their digital assets. Understanding the tactics and techniques outlined in the MITRE framework is crucial for business owners looking to fortify their defenses against such evolving adversary strategies.
