Kremlin’s Top Hack Groups Now Collaborating, ESET Warns
▼ Summary
– Two Kremlin-linked hacking groups, Turla and Gamaredon, recently collaborated in malware attacks targeting high-value devices in Ukraine.
– Turla is a highly sophisticated and stealthy group known for narrow, targeted attacks on entities like the US Department of Defense and European governments.
– Gamaredon conducts broader operations focused on Ukraine and does not prioritize avoiding detection or attribution to the Russian government.
– Both groups are widely assessed to be units of Russia’s Federal Security Service (FSB), the country’s main security agency.
– Security researchers suggest Turla may have hijacked Gamaredon’s infrastructure, similar to past hostile takeovers of other groups’ attack platforms.
Security researchers have identified a concerning new development in the cyber threat landscape: two of Russia’s most prominent state-sponsored hacking groups are now actively collaborating in attacks against Ukrainian targets. This joint effort represents a significant escalation in both coordination and capability, merging the distinct strengths of these advanced threat actors.
One of these groups, known as Turla, stands out as one of the most sophisticated and stealthy hacking collectives in operation today. Widely attributed to Russia’s Federal Security Service (FSB), Turla specializes in highly targeted, long-term intrusions against high-value government and military entities. The group is believed responsible for breaching the US Department of Defense in 2008, and more recently, systems within the German Foreign Office and French military. Turla is notorious for its innovative methods, including the deployment of stealthy Linux malware and the use of satellite-based internet links to evade detection.
In contrast, Gamaredon operates with a different philosophy. Also linked to the FSB, this group casts a much wider net, frequently launching broad campaigns against Ukrainian organizations. Unlike Turla, which prioritizes remaining undetected, Gamaredon appears unconcerned with operational secrecy and focuses on rapidly harvesting as much data as possible from its victims. Despite their differing tactics, both groups share the same strategic backing.
Recent analysis by cybersecurity firm ESET reveals that malware associated with both Turla and Gamaredon has been found operating in tandem on the same compromised devices. This suggests a level of cooperation previously unseen between these units. One possibility is that Turla has once again executed a hostile takeover of another group’s infrastructure, a tactic it has employed in the past. In 2019, for example, Turla commandeered an attack platform belonging to an Iranian state-linked hacking group. More recently, it appropriated infrastructure from financially motivated cybercriminals to target Starlink users in Ukraine.
Whether through collaboration or coercion, the merging of these groups’ tools and techniques poses a heightened risk to targeted organizations, combining Turla’s surgical precision with Gamaredon’s aggressive data collection strategies.
(Source: Ars Technica)
