Two of the Most Active Hacker Groups within the Kremlin are working together, claims ESET
Two of the Most Active Hacker Groups within the Kremlin are working together, claims ESET
Gamaredon is helping to move Turla along. Both are FSB units in Russia.
According to security analysts on Friday, two of the Kremlin’s most active hacking groups have been observed working together on malware operations that infiltrate expensive gadgets in Ukraine.
One of the groups is Turla, which is undoubtedly one of the most advanced persistent threats in the world. Turla is a well-funded and well-organized hacking operation that targets particular adversaries for years at a time, with the support of several nation-states. Turla was responsible for breaches of the US Department of Defense in 2008, and more recently, the German Foreign Office and the French military, according to researchers from a number of security businesses. In order to keep its activities covert, the group has also been known to use satellite-based Internet connections to release covert Linux malware. The gang maintains a modest profile while launching very valuable, precisely focused attacks.
In contrast, Gamaredon is a distinct APT that frequently targets Ukrainian businesses and carries out far more extensive activities. Gamaredon doesn’t appear to worry about being discovered and connected to the Russian government, in contrast to Turla, which goes to great lengths to remain undetected. In general, the virus seeks to gather as much data from its targets as it can in a brief amount of time. Most people agree that Turla and Gamaredon are both parts of Russia’s Federal Security Service (FSB), which is the nation’s main security organization and the KGB’s successor in the Soviet Union.
Hostile Takeover Possible, Collaboration More Likely
The security company ESET reported on Friday that it has observed malware from both organizations installed together or working together on several machines in recent months. According to company researchers, Turla might have taken control of Gamaredon’s infrastructure in a way akin to a hostile takeover of an attack platform used by a rival APT that was employed by the Iranian government in 2019. In a similar vein, Turla last year targeted Starlink-connected devices in Ukraine by stealing the infrastructure of two financially motivated hacker organizations.
However, according to ESET, its most plausible theory is that Turla and Gamaredon were collaborating. “Gamaredon granted access to Turla operators so that they could issue commands on a specific machine to restart Kazuar and deploy Kazuar v2 on some others, considering that both groups are part of the Russian FSB (albeit in two different Centers),” the company stated.
Gamaredon has been observed working with other hacker organizations in the past, particularly in 2020 with a group ESET tracks under the moniker InvisiMole, according to Friday’s article.
According to ESET, four different Gamaredon-Turla co-compromises were seen in Ukraine in February by company researchers. Gamaredon installed a variety of tools on each machine, including those known by the names PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin. Turla inserted Kazuar, its proprietary virus, in version 3.
Turla was seen giving orders through the Gamaredon implants using ESET software that was installed on one of the infected machines.
As per ESET, “Kazuar was restarted using PteroGraphin, possibly after it crashed or failed to launch automatically.” Thus, Turla most likely employed PteroGraphin as a rehabilitation technique. For the first time, we have used technological indications to connect these two groups.
Then, ESET claimed to have seen Kazuar v2 installers being used by Gamaredon malware in April and June. The payloads could not be recovered because ESET software was always deployed after the intrusions. However, the company stated that it thinks the most plausible explanation is that the parties are actively working together.
ESET hypothesized that Turla is only interested in particular devices, most likely ones with extremely sensitive intelligence, given all of those factors and the fact that Gamaredon is compromising hundreds or even thousands of machines.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
Global PhaaS Surge: 17,500 Phishing Domains Target 316 Brands in 74 Countries
About Author
English