Recent investigations have unveiled a collaborative effort between two Russian state-sponsored cyber espionage groups, Turla and Gamaredon, targeting Ukrainian entities. Between February and April 2025, evidence indicates that Gamaredon’s tools were instrumental in deploying and managing Turla’s malware on specific Ukrainian systems.
Background on Turla and Gamaredon
Turla, also known by aliases such as Krypton, Snake, Venomous Bear, and Waterbug, has been active since at least 2004. This group is renowned for its sophisticated cyber operations targeting high-profile entities, including diplomats and government organizations across Europe, Central Asia, and the Middle East.
Gamaredon, also referred to as Armageddon, BlueAlpha, Blue Otso, Callisto, Iron Tilden, Primitive Bear, Sector C08, and Winterflounder, has been operational since at least 2013. Its primary focus has been on Ukrainian individuals and organizations, conducting thousands of intrusions over the years.
Recent Collaborative Activities
In early 2025, cybersecurity firm ESET identified instances where Gamaredon’s tools were utilized to facilitate Turla’s malware operations:
– February 2025: Gamaredon’s PteroGraphin tool was employed to restart Turla’s Kazuar espionage implant, suggesting a recovery action following a system crash.
– April 2025: Gamaredon’s PteroOdd and PteroPaste tools were used to deploy updated versions of Turla’s Kazuar v2 installers.
These findings are significant, considering that the last recorded Turla compromise in Ukraine was in February 2024. The selective nature of these attacks implies that Turla is targeting machines with highly sensitive intelligence.
Organizational Links and Historical Context
Both Turla and Gamaredon are believed to operate under Russia’s Federal Security Service (FSB):
– Turla: Associated with Center 16, Russia’s main signals intelligence agency.
– Gamaredon: Linked to Center 18, the Center for Information Security in Crimea.
Historically, these entities have a documented history of collaboration dating back to the Cold War era. The current joint operations underscore a continued strategic partnership aimed at compromising Ukrainian targets.
Implications and Strategic Insights
The collaboration between Turla and Gamaredon highlights a sophisticated approach to cyber warfare, combining resources and expertise to enhance the effectiveness of their operations. This partnership poses significant challenges for cybersecurity defenses, as it leverages the strengths of both groups to achieve strategic objectives.
Conclusion
The recent joint activities of Turla and Gamaredon represent a heightened threat to Ukrainian cybersecurity. Understanding the dynamics of this collaboration is crucial for developing effective countermeasures and safeguarding sensitive information against state-sponsored cyber threats.
