Two of the Kremlin's most active hack groups are collaborating, ESET says

Two of the Kremlin's most active hack groups are collaborating, ESET says

Briefly

"But ESET said its most likely hypothesis is that Turla and Gamaredon were working together. "Given that both groups are part of the Russian FSB (though in two different Centers), Gamaredon provided access to Turla operators so that they could issue commands on a specific machine to restart Kazuar, and deploy Kazuar v2 on some others," the company said. Friday's post noted that Gamaredon has been seen collaborating with other hack groups previously, specifically in 2020 with a group ESET tracks under the name InvisiMole."

""PteroGraphin was used to restart Kazuar, possibly after Kazuar crashed or was not launched automatically," ESET said. "Thus, PteroGraphin was probably used as a recovery method by Turla. This is the first time that we have been able to link these two groups together via technical indicators (see First chain: First chain: Restart of Kazuar v3 )." Then, in April and again in June, ESET said it detected Kazuar v2 installers being deployed by Gamaredon malware."

"In February, ESET said, company researchers spotted four distinct Gamaredon-Turla co-compromises in Ukraine. On all of the machines, Gamaredon deployed a wide range of tools, including those tracked under the names PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin. Turla, for its part, installed version 3 of its proprietary malware Kazuar. ESET software installed on one of the compromised devices observed Turla issuing commands through the Gamaredon implants."