Ethical Hacking News
ESET has uncovered a collaboration between Gamaredon and Turla, two prominent Russian-linked APT groups, in Ukraine cyberattacks. The collaboration highlights the evolving nature of modern cybersecurity threats and underscores the need for improved threat intelligence and incident response strategies.
ESET has discovered a collaboration between Russian-linked APT groups Gamaredon and Turla. The collaboration is believed to be state-backed by the FSB, marking a significant escalation in cyber warfare activities against Ukraine. A series of coordinated attacks were carried out by Gamaredon and Turla on Ukrainian targets between February and April 2025. The attack demonstrates the ability of different threat actors to coordinate their efforts, increasing sophistication and persistence of attacks. Gamaredon is notorious for targeting government, law enforcement, and defense organizations in Ukraine since 2013. Turla has been active since at least 2004, targeting diplomatic and government organizations and private businesses worldwide. The collaboration highlights the complexities of modern cybersecurity threats and the need for continued research and analysis. ESET has released IoCs and samples to help researchers and security professionals understand this complex threat landscape.
In a recent revelation, cybersecurity firm ESET has discovered a complex web of malicious intent between two prominent Russian-linked Advanced Persistent Threat (APT) groups: Gamaredon and Turla. The collaboration between these two entities, which is believed to be state-backed by the FSB, marks a significant escalation in cyber warfare activities against Ukraine. This development underscores the evolving nature of modern cybersecurity threats and highlights the need for improved threat intelligence and incident response strategies.
The ESET report details a series of coordinated attacks carried out by Gamaredon and Turla on Ukrainian targets between February and April 2025. The researchers have identified four co-compromised systems, where Gamaredon deployed its own tools to restart systems before launching Turla malware on select Ukrainian targets. This rare collaboration demonstrates the ability of different threat actors to coordinate their efforts, increasing the sophistication and persistence of attacks against critical Ukrainian systems during a tense geopolitical climate.
Gamaredon, also known as Shuckworm, Armageddon, Primitive Bear, ACTINIUM, or Callisto, has been active since 2013 and is notorious for targeting government, law enforcement, and defense organizations in Ukraine. The group's modus operandi typically involves spear-phishing and malicious LNK files on removable drives spread via tools like PteroLNK.
On the other hand, Turla, also known as Snake, Uroburos, Waterbug, Venomous Bear, or KRYPTON, has been active since at least 2004. It targets diplomatic and government organizations and private businesses in various regions, including the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations. Turla is believed to originate from FSB's Center 16, while Gamaredon links to Center 18, rooted in the KGB's 2nd Directorate for internal security.
The collaboration between Gamaredon and Turla appears to be an example of how different threat actors within the same service can work together. This cooperation highlights the complexities of modern cybersecurity threats and the need for continued research and analysis into the motivations and tactics employed by these entities.
ESET has released indicators of compromise (IoCs) and samples for the attacks they have investigated, providing valuable resources for researchers and security professionals seeking to understand this complex threat landscape. The report emphasizes the importance of staying vigilant in the face of evolving threats and the need for robust incident response strategies to counteract such malicious activities.
In conclusion, the discovery of Gamaredon-Turla collaboration in Ukraine cyberattacks underscores the sophisticated nature of modern cybersecurity threats. As these threat actors continue to evolve and adapt their tactics, it is essential to maintain a proactive approach to threat intelligence and incident response, ensuring that organizations are equipped to counteract the increasingly complex web of malicious intent.
Related Information:
https://www.ethicalhackingnews.com/articles/ESET-Uncovers-Gamaredon-Turla-Collaboration-in-Ukraine-Cyberattacks-A-Complex-Web-of-Malicious-Intent-ehn.shtml
https://securityaffairs.com/182404/apt/eset-uncovers-gamaredon-turla-collaboration-in-ukraine-cyberattacks.html
https://www.eset.com/us/about/newsroom/research/eset-research-gamaredon-and-turla-target-high-profile-ukrainian-entities/
https://www.eset.com/us/about/newsroom/research/eset-research-investigates-the-gamaredon-apt-group-cyberespionage-aimed-at-high-profile-targets-in-ukraine-and-nato-countries-1/
https://www.sentinelone.com/blog/who-are-the-gamaredon-group-and-what-do-they-want/
Published: Sun Sep 21 13:35:14 2025 by llama3.2 3B Q4_K_M
