Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
First-Ever Malware Tie-Up Spotted Between FSB’s Turla and Gamaredon Hacking Groups
Separate Russian intelligence hacking teams appear to have joined forces against high-value intelligence targets in Ukraine.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Cybersecurity firm Eset says it spotted a tie-up between the two groups in attacks that ran from at least January to June.
The threat groups involved are tracked as Gamaredon and Turla. Both are tied to separate arms of Russia’s Federal Security Service, the Kremlin’s primary domestic security and intelligence agency. Known as the FSB, the agency is Russia’s successor to the Soviet Union’s KGB.
While the two groups are part of the same Russian intelligence agency, researchers said they’d never before seen evidence of one group using the other’s malware.
“We believe with high confidence that both groups – separately associated with the FSB – are cooperating and that Gamaredon is providing initial access to Turla,” said Zoltán Rusnák, a researcher at Eset.
“In the course of this year, Eset has detected Turla on seven machines in Ukraine,” said Eset researcher Matthieu Faou. “Since Gamaredon is compromising hundreds if not thousands of machines, this suggests that Turla is only interested in specific machines, probably those containing highly sensitive intelligence.”
Evidence for the joint operation comes as Russia’s war of conquest against Ukraine is well into its fourth year. Despite U.S. President Donald Trump calling on Russian leader Vladimir Putin to agree to a ceasefire, the Russian military has intensified its drone and missile attacks, and recently violated Polish and Romanian airspace with drones and Estonia’s airspace with military jets. The incursions resulted in a new round of sanctions from the European Union that include cryptocurrency platforms used by Moscow to launder money.
The researchers first spotted in February four systems infected with a Turla backdoor called Kazuar, which attackers appeared to recover or restart – perhaps because it crashed or never got correctly installed in the first place – by using malware tools Gamaredon installed on the system, including PteroGraphin and PteroOdd. They said the Ukrainian systems appeared to have been compromised in January, and the Kazuar v3 backdoor relaunched in February.
They described Kazuar as “an advanced C# espionage implant that Eset believes is used exclusively by Turla; it was first seen in 2016.”
“In all four cases, the Eset endpoint product was installed after the compromises,” they said. As a result, “we are unable to pinpoint the exact compromise method,” although could guess the initial infection vector.
“Gamaredon is known for using spearphishing and malicious .lnk files on removable drives, thus one of these was the most likely compromise vector,” Rusnák said.
The researchers later identified three more systems on which Gamaredon tools PteroOdd and PteroPaste deployed Kazuar v2, in April and June.
Faou, who discovered the tie-up with Rusnák, was due to present their findings Friday at the Labscon 2025 conference hosted by SentinelOne in Arizona.
Prior to this campaign being discovered, the last time researchers detected a Turla compromise in Ukraine was in February 2024.
Tracking Gamaredon and Turla
Evidence of a joint operation between Gamaredon and Turla can run counter to the Russian intelligence services’ reputation, in the words of one assessment, as being “internally divided, distracted by bureaucratic turf wars” and often producing “poor quality intelligence.”
But Eset said “there are indications that such tensions chiefly apply to interservice relations rather than to intra-agency interactions” and that “in this context, it is perhaps not entirely surprising” that two of the FSB’s APT groups might be working together.
In fact, “both entities seem to maintain some mission overlaps – especially with regard to former Soviet republics,” Eset said.
Security researchers have tracked Gamaredon since it appeared in 2013, earning its codename from misspelling the word Armageddon in one of its early campaigns. Security experts also track it as Primitive Bear, Shuckworm and Aqua Blizzard, and said it focuses on targeting Ukraine, including its military, judiciary, law enforcement and non-profit organizations.
Ukrainian officials have described Gamaredon as being “an FSB special project” devoted to targeting Ukraine, often operating out of Russian-occupied Crimea, and coordinated by the FSB’s Moscow-based Center 18. The Five Eyes intelligence alliance assesses that Center 18, aka the Center for Information Security Military Unit 64829, is a unit of the FSB’s Counter-Intelligence Service.
Turla’s existence dates to at least 2004, and possibly the late 1990s. The group is also tracked as Snake, Krypton, Venomous Bear and Secret Blizzard, and excels at watering hole and spear-phishing campaigns. Experts said the group has been tied to attacks against more than 50 countries, including military, government, research and development and pharmaceutical targets.
A number of major breaches link to Turla, including attacks against the U.S. Department of Defense in 2008 and Swiss defense contractor RUAG in 2014. In 2019, the United States and Great Britain unmasked Turla, having hijacked significant attack infrastructure and attack tools used by an Iranian nation-state attack team called OilRig, also tracked as APT34, Crambus or HelixKitten.
Western intelligence agencies say Turla is run by FSB Center 16, aka Military Unit 71330, which focuses on foreign intelligence and traces its lineage to the KGB’s 16th Directorate, which until 1991 was responsible for signals intelligence and securing government communications. The U.K. government says Center 16 “is responsible for cyber operations including the intercepting, decrypting and processing of electronic messages, and the technical penetration of foreign targets.”
In 2018, Ukraine’s Security Service attributed an attack campaign tracked as SpiceyHoney by CrowdStrike to a joint Center 16 and Center 18 operation, including the participation of “Gameredon,” using a then-new custom backdoor called Pteranodon.