Collaboration Between Russian Hack Groups: An ESET Analysis
Recent insights from ESET, a well-regarded cybersecurity company, reveal intriguing developments in the tactics of Russian hack groups, particularly Turla and Gamaredon. Both of these entities are reportedly linked to the Russian Federal Security Service (FSB), albeit operating from distinct departments within the organization. This relationship may suggest a coordinated strategy in cyber operations.
Joint Operations: The Evidence
ESET’s analysis leans toward the hypothesis that Turla and Gamaredon are not just working independently, but are likely collaborating. This collaboration was evident when Gamaredon reportedly provided access to Turla operators, enabling them to execute commands on compromised machines. For instance, researchers observed an instance where Gamaredon facilitated the restart of Kazuar, Turla’s proprietary malware, and even deployed Kazuar version 2 on multiple systems.
Historical Collaborations
This isn’t the first time Gamaredon has been linked to joint operations; notably, in 2020, they worked alongside a group identified as InvisiMole. Such collaborations underscore a trend of inter-group cooperation among Russian cybercriminal organizations, suggesting a well-choreographed approach to cyber espionage.
Recent Findings in Ukraine
In February, ESET identified four separate instances of co-compromise between Gamaredon and Turla in Ukraine. In these cases, Gamaredon deployed a diverse toolkit, including malware variants like PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin. In parallel, Turla installed version 3 of Kazuar, emphasizing their focused interests on high-value intelligence targets.
Technical Indicators of Collaboration
The research from ESET highlighted a noteworthy technical finding: Turla was observed issuing commands via Gamaredon’s implants on compromised systems. Specifically, PteroGraphin was utilized to restart Kazuar, indicating a method of recovery when the malware failed to launch or crashed. ESET noted, “This is the first time that we have been able to link these two groups together via technical indicators,” marking a significant breakthrough in understanding their interconnected methodologies.
Ongoing Threat Landscape
In subsequent months, particularly in April and June, ESET detected Kazuar version 2 installers being deployed via Gamaredon malware. Although the exact payloads were not recoverable due to ESET software being installed post-compromise, the evidence strongly supports the notion of active collaboration between these hacking groups. The data further suggests that while Gamaredon compromises numerous machines, Turla’s interests appear targeted, likely aiming for machines with critical and sensitive intelligence data.
As the landscape of cyber threats continues to evolve, the collaboration between these hacking groups serves as a reminder of the complex nature of cyber warfare today. Understanding these relationships could be crucial for organizations and governments seeking to bolster their cybersecurity defenses.
For a more detailed exploration of this subject, visit Here.
Image Credit: arstechnica.com
