Russian state-sponsored hacking groups Turla and Gamaredon both linked to the FSB collaborated in a targeted cyber operation against Ukrainian government and defense systems. Gamaredon, known for high-volume spearphishing and removable drive infections, provided initial access by compromising machines with custom malware (e.g., PteroLNK, PteroStew). Turla then leveraged this access to deploy its Kazuar v3 backdoor, a sophisticated espionage tool, focusing on select high-value targets likely containing sensitive intelligence. In one instance, Turla remotely restarted its malware via Gamaredon’s infrastructure, demonstrating deep infiltration. The attack’s scope suggests strategic espionage, potentially compromising classified defense, diplomatic, or government communications. While the exact data exfiltrated remains undisclosed, the collaboration between two elite APT groups signals a coordinated effort to undermine Ukraine’s national security, with possible long-term repercussions for military operations, intelligence networks, or geopolitical stability. The use of FSB-aligned actors with Cold War-era ties underscores the attack’s state-level orchestration and intent to disrupt critical services or gather intelligence for strategic advantage.
Source: https://therecord.media/russian-spy-groups-turla-gamaredon-target-ukraine
TPRM report: https://www.rankiteo.com/company/mfa-ukraine
"id": "mfa4792147091925",
"linkid": "mfa-ukraine",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Public Sector',
'location': 'Ukraine',
'name': 'Ukrainian Government',
'type': 'Government'},
{'industry': 'Military/Defense',
'location': 'Ukraine',
'name': 'Ukrainian Defense Enterprises',
'type': 'Defense'}],
'attack_vector': ['Spearphishing (likely)',
'Infected Removable Drives (likely)',
'Malware Deployment (PteroLNK, PteroStew, Kazuar v3)'],
'data_breach': {'data_exfiltration': 'Likely',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Intelligence Data',
'Government/Defense '
'Information']},
'date_detected': '2024-02',
'date_publicly_disclosed': '2024-02-23',
'description': 'Researchers uncovered the first documented collaboration in '
'Ukraine between two Russian state-sponsored hacking groups, '
'Turla and Gamaredon (both linked to Russia’s FSB). ESET '
'detected four cases where both groups compromised the same '
'Ukrainian machines, with Turla leveraging Gamaredon’s '
'infrastructure as a support system. Gamaredon deployed custom '
'tools (e.g., PteroLNK, PteroStew), while Turla installed its '
'Kazuar v3 backdoor. The collaboration suggests Turla targets '
'highly sensitive intelligence, while Gamaredon provides '
'initial access via spearphishing or infected removable '
'drives. This aligns with historical FSB unit cooperation '
'dating back to the Cold War.',
'impact': {'data_compromised': ['Highly Sensitive Intelligence (likely)',
'Government/Defense Data'],
'operational_impact': ['Compromised Network Integrity',
'Potential Data Exfiltration'],
'systems_affected': ['Ukrainian Government Machines',
'Defense Enterprise Systems']},
'initial_access_broker': {'backdoors_established': ['Gamaredon Implants '
'(PteroLNK, PteroStew, '
'etc.)',
'Turla Kazuar v3'],
'entry_point': ['Spearphishing (likely)',
'Infected Removable Drives '
'(likely)'],
'high_value_targets': ['Ukrainian Government '
'Machines',
'Defense Systems with '
'Sensitive Intelligence']},
'investigation_status': 'Ongoing (ESET analysis)',
'lessons_learned': 'The incident highlights the evolving tactics of Russian '
'APT groups, including infrastructure-sharing and '
'cross-group collaboration to enhance operational '
'efficiency. Initial access brokers (e.g., Gamaredon) may '
'provide entry points for more sophisticated actors (e.g., '
'Turla) to target high-value intelligence. Historical FSB '
'unit cooperation suggests such collaborations may '
'persist, necessitating advanced threat detection and '
'inter-agency coordination.',
'motivation': ['Espionage',
'Intelligence Gathering',
'State-Sponsored Cyber Operations'],
'post_incident_analysis': {'root_causes': ['Likely initial compromise via '
'spearphishing or removable media',
'Infrastructure-sharing between '
'APT groups (Turla leveraging '
'Gamaredon implants)',
'Targeted focus on high-value '
'intelligence systems']},
'recommendations': ['Enhance monitoring for APT group collaborations, '
'particularly between Turla and Gamaredon.',
'Implement stricter controls on removable media and '
'spearphishing defenses.',
'Conduct regular audits of high-value systems for signs '
'of Kazuar or Gamaredon tooling.',
'Strengthen inter-governmental cybersecurity information '
'sharing, especially in Ukraine.',
'Deploy behavioral analysis tools to detect anomalous '
'remote command execution (e.g., Turla restarting malware '
'via Gamaredon implants).'],
'references': [{'date_accessed': '2024-02-23',
'source': 'ESET Research',
'url': 'https://www.welivesecurity.com/2024/02/23/turla-gamaredon-apt-collaboration-ukraine/'},
{'date_accessed': '2024-02-23',
'source': 'Reuters',
'url': 'https://www.reuters.com/technology/cybersecurity/ukraine-hit-by-first-documented-collaboration-between-russian-hacking-groups-2024-02-23/'}],
'response': {'third_party_assistance': ['ESET (Detection/Analysis)']},
'threat_actor': ['Turla (FSB-linked)', 'Gamaredon (FSB-linked)'],
'title': 'First Documented Collaboration Between Turla and Gamaredon APT '
'Groups in Ukraine',
'type': ['APT Collaboration', 'Espionage', 'Cyberattack']}