Russian hackers Turla and Gamaredon are attacking Ukraine.

Russian hackers Turla and Gamaredon are attacking Ukraine.

Espionage in Ukraine, Peoples of Ukraine, Uncategorized, Сorruption Ukraine

Russian hackers Turla and Gamaredon are attacking Ukraine. Researchers from ESET have uncovered the first documented case of a joint cyber operation in Ukraine between two of Russia’s most notorious hacker groups — Turla and Gamaredon, both linked to the Federal Security Service (FSB).

Who Are Turla and Gamaredon?

GroupActive SinceMain FocusTarget Regions
Turla2004Cyber espionage against governments, embassies, and defense organizationsEurope, Central Asia, Middle East
Gamaredon2013Large-scale attacks on Ukrainian government and defense entitiesUkraine (Crimea-based)

How the Attack Unfolded

In February 2025, cybersecurity firm ESET detected four cases where both groups compromised the same Ukrainian systems simultaneously.
Gamaredon deployed its typical custom malware tools, including:

  • PteroLNK
  • PteroStew
  • PteroOdd
  • PteroEffigy
  • PteroGraphin

Meanwhile, Turla installed its advanced Kazuar v3 backdoor, a powerful espionage tool designed for stealthy access and data collection.

An Unprecedented Link Between the Two Groups

In at least one case, researchers observed Turla remotely restarting its malware through a Gamaredon implant, effectively leveraging Gamaredon’s infrastructure for support.
This marks the first confirmed instance of technical collaboration between these two FSB-affiliated hacking groups in Ukraine.

Why It Matters

  • Gamaredon typically infects hundreds or thousands of systems, often using spear-phishing and infected USB drives.
  • Turla targets only high-value machines containing sensitive intelligence.

Their cooperation suggests a new level of coordination among Russian state-sponsored APT groups, combining mass infection methods with surgical espionage tactics.

Historical Context

According to experts, collaboration between the FSB units behind Turla and Gamaredon dates back to the Cold War era, which may explain their operational synergy in the digital age.

“This is the first time we’ve been able to technically link these two groups,” said ESET researchers.
“Gamaredon appears to provide initial access, while Turla leverages it to deploy its own implants.”

Key Takeaways

  • First verified Turla–Gamaredon joint operation in Ukraine
  • Use of advanced espionage tools (Kazuar, PteroLNK, etc.)
  • Focused attacks on Ukrainian government and defense sectors
  • Demonstrates increasing FSB coordination in cyberspace

SOURCE: https://therecord.media/russian-spy-groups-turla-gamaredon-target-ukraine

Leave a Reply

Your email address will not be published. Required fields are marked *