Turla and Gamaredon: Evidence of Collaboration Between Russian Cyber Espionage Groups
Table of Contents
Recent research by ESET reveals a likely collaboration between two distinct Russian-linked cyber espionage groups: Turla and Gamaredon. This connection, previously suspected, is now supported by technical indicators showing Gamaredon infrastructure being used to deploy tools associated with Turla, suggesting a coordinated effort to compromise high-value targets. The findings highlight the evolving tactics of state-sponsored threat actors and the potential for increased sophistication through partnerships.
Identifying the groups
Both Turla and Gamaredon are well-established Advanced Persistent Threat (APT) groups with a history of targeting governments, military organizations, and other sensitive entities.
* Turla (also known as Snake): A sophisticated group linked to Russian intelligence, Turla is known for its long-term espionage campaigns and use of complex malware, including the Kazuar backdoor. They have a broad range of targets, often focusing on geopolitical intelligence gathering. Mandiant provides a detailed overview of the Turla group.
* gamaredon (also known as armagedon): This group primarily targets Eastern European countries, particularly Ukraine, and focuses on intelligence gathering through spear-phishing and the deployment of malware like Kazuar. Gamaredon is known for compromising a large number of machines, likely to provide access for more targeted operations. ESET’s research provides in-depth analysis of Gamaredon’s activities.
The Evidence of Collaboration
ESET’s examination uncovered several key indicators pointing to a working relationship between the two groups:
* Gamaredon Deploying Turla Tools: ESET researchers observed Gamaredon malware deploying installers for Kazuar v2,a backdoor traditionally associated with Turla. This deployment occurred in April and June, and while the payloads couldn’t be recovered due to ESET software being installed after the compromises, the pattern is significant.
* PteroGraphin as a Recovery Mechanism: The research revealed that PteroGraphin, a tool used by Turla, was employed to restart Kazuar, potentially after crashes or failed automatic launches. This suggests PteroGraphin was used as a recovery method, indicating Turla’s involvement in maintaining infrastructure deployed through Gamaredon. ESET details the Kazuar restart chain.
* Targeted Access: given Gamaredon’s ability to compromise a vast number of systems, ESET speculates that Turla is leveraging this access to identify and target machines containing highly sensitive intelligence. This suggests a division of labour, with Gamaredon providing broad access and Turla focusing on specific, high-value targets.
Implications and Future Outlook
The collaboration between Turla and Gamaredon represents a concerning trend in the cyber threat landscape. It demonstrates a willingness among state-sponsored actors to share resources and expertise, potentially increasing the effectiveness and reach of their operations.
This partnership likely allows turla to:
* Expand its access: Leverage Gamaredon’s compromised network to identify and target valuable assets.
* Reduce risk: Utilize Gamaredon as a proxy to mask its activities and potentially evade detection.
* Increase efficiency: Focus its resources on exploiting high-value targets identified through Gamaredon’s broad reconnaissance.
Going forward, security professionals should anticipate increased collaboration between APT groups and a blurring of the lines between traditionally distinct threat actors. Enhanced threat intelligence sharing and proactive monitoring for indicators of compromise associated with both Turla and Gamaredon will be crucial in mitigating the risks posed by these evolving threats.
Key Takeaways:
* Confirmed Collaboration: Technical evidence now supports a working relationship between Turla and Gamaredon.
* Division of Labor: Gamaredon likely provides broad access, while Turla focuses on high-value targets.
* Increased Sophistication: Collaboration enhances the capabilities of both groups.
* Evolving Threat Landscape: expect more partnerships between state-sponsored APTs.