Russian Government-Backed Hackers Partner in Cyber Assaults on Ukraine
In a concerning development, Russian state-linked cyberattack groups Gamaredon and Turla have been found collaborating to compromise top news targets in Ukraine. The collaboration between these two groups, both affiliated with the Russian Federal Security Service (FSB), has been observed since Russia's invasion of Ukraine in 2022.
ESET, a leading cybersecurity firm, published a report on September 19, 2025, linking these two groups together via technical indicators. The report highlighted several instances of collaboration between the two groups, including the use of shared tools in campaigns during 2025.
One such instance occurred in February 2025, when ESET observed four attacks where Turla was able to issue commands via Gamaredon implants. This discovery has led researchers to conclude with high confidence that the two groups are collaborating.
Gamaredon, active since at least 2013, has primarily targeted Ukrainian governmental institutions. On the other hand, Turla, active since at least 2004, has mainly focused on high-profile targets in Europe, Central Asia, and the Middle East. Despite their different target profiles, the collaboration between the two groups has been marked by the shared use of tools.
One such tool is Kazuar, used by both groups for data downloading. Kazuar is capable of gathering various system details, such as the victim's computer name and username, list of running processes, OS version, and lists of files and directories in various locations.
Interestingly, while Gamaredon has been observed compromising 'hundreds if not thousands of machines,' Turla has only been detected on seven machines in Ukraine in the past 18 months. This suggests that Turla seems to be interested in specific machines, probably ones containing highly sensitive intelligence.
Another tool used in this collaboration is PteroGraphin, previously thought to be exclusive to Gamaredon. ESET's findings reveal that PteroGraphin was used to restart Turla's Kazuar backdoor malware.
The collaboration between Gamaredon and Turla has also been observed in April and June 2025, with Kazuar v2 installers being deployed directly by Gamaredon tools. These activities, as per ESET data, have been focused on the Ukrainian defense sector in recent months.
Turla's main targets, however, remain governments and diplomatic entities, unlike Gamaredon's broader targeting. The 2022 full-scale invasion of Ukraine has probably reinforced this convergence, with ESET data showing Gamaredon and Turla activities focusing on the Ukrainian defense sector in recent months.
This collaboration poses a significant threat to the security of Ukraine and the region as a whole. As the situation in Ukraine continues to evolve, it is crucial for cybersecurity firms and governments to stay vigilant and respond swiftly to any potential threats.
Read also:
- Hackers Utilize GOLD SALEM to Infiltrate Networks and Evade Security Measures, Deploying Warlock Ransomware
- Strengthening Resistance Against Combined Risks in an Age Characterized by Authoritarian Technology
- Artificial Intelligence with independent agency could potentially intervene in cybercrises.
- Autocrrypt and Cohda Wireless Collaborate for Secure Vehicle-to-Everything Communication
