Two of the Kremlin’s most active hacking units recently were spotted collaborating in malware attacks that compromise high-value devices located in Ukraine, security researchers said Friday.
One of the groups is Turla, which is easily one of the world’s most sophisticated advanced persistent threats (well-organized and well-funded hacking groups, many backed by nation states, that target specific adversaries for years at a time). Researchers from multiple security firms largely agree that Turla was behind breaches of the US Department of Defense in 2008, and more recently, the German Foreign Office and France's military. The group has also been known for unleashing stealthy Linux malware and using satellite-based Internet links to maintain the stealth of its operations. The group conducts narrowly targeted attacks on high-value targets and keeps a low profile.
Gamaredon, meanwhile, is a separate APT known for conducting much wider-scale operations, often targeting organizations in Ukraine. Whereas Turla takes pains to fly under the radar, Gamaredon doesn’t seem to care about being detected and linked to the Russian government. Its malware generally aims to collect as much information from targets as possible over a short period of time. Both Turla and Gamaredon are widely assessed to be units of Russia’s Russian Federal Security Service (FSB), the country’s chief security agency and successor of the Soviet Union’s KGB.
Hostile takeover possible, collaboration more likely
Security firm ESET said Friday that it has spotted both groups’ malware being installed alongside each other or interoperating on multiple devices in recent months. Company researchers said it’s possible Turla may have hijacked Gamaredon’s infrastructure in a manner similar to a 2019 event in which the group conducted a hostile takeover of an attack platform belonging to a competing APT working for Iran’s government. Similarly, Turla last year appropriated the infrastructure of two financially motivated hack groups in a campaign targeting Starlink-connected devices in Ukraine.
But ESET said its most likely hypothesis is that Turla and Gamaredon were working together. “Given that both groups are part of the Russian FSB (though in two different Centers), Gamaredon provided access to Turla operators so that they could issue commands on a specific machine to restart Kazuar, and deploy Kazuar v2 on some others,” the company said.
Friday’s post noted that Gamaredon has been seen collaborating with other hack groups previously, specifically in 2020 with a group ESET tracks under the name InvisiMole.
In February, ESET said, company researchers spotted four distinct Gamaredon-Turla co-compromises in Ukraine. On all of the machines, Gamaredon deployed a wide range of tools, including those tracked under the names PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin. Turla, for its part, installed version 3 of its proprietary malware Kazuar.
ESET software installed on one of the compromised devices observed Turla issuing commands through the Gamaredon implants.
“PteroGraphin was used to restart Kazuar, possibly after Kazuar crashed or was not launched automatically,” ESET said. “Thus, PteroGraphin was probably used as a recovery method by Turla. This is the first time that we have been able to link these two groups together via technical indicators (see First chain: First chain: Restart of Kazuar v3).”
Then, in April and again in June, ESET said it detected Kazuar v2 installers being deployed by Gamaredon malware. In all the cases, ESET software was installed after the compromises, so it wasn’t possible to recover the payloads. Nonetheless, the firm said it believes an active collaboration between the groups is the most likely explanation.
“All those elements, and the fact that Gamaredon is compromising hundreds if not thousands of machines, suggest that Turla is interested only in specific machines, probably ones containing highly sensitive intelligence,” ESET speculated.
Pentagon Announces New Clean-Shaven Grooming Standards