Recent Cyberattacks in Ukraine: Uncovering the Collaboration Between Russian Threat Actors
Recent investigations by cybersecurity firm ESET have revealed the collaboration between two Russian state-sponsored hacking groups in their attacks on Ukrainian entities. This partnership sets the stage for a series of cyber threats that highlight the complex landscape of international cyber warfare.
Identifying the Threat Actors
The two primary groups under scrutiny are Gamaredon and Turla. Evidence suggests that from February to April 2025, tools previously employed by Gamaredon were utilized to launch the Turla malware against select targets in Ukraine. This signifies a direct cooperation between the two actors, as they share resources to bolster their offensive capabilities.
Overview of Gamaredon
Gamaredon, also known by various monikers like Armageddon and BlueAlpha, has been operational since at least 2013. Its primary focus has been on individuals and organizations within Ukraine. This group is notorious for executing thousands of cyber intrusions aimed at gathering intelligence and disrupting normal operations.
The History of Turla
On the other hand, Turla, which is often referred to as Krypton or Venomous Bear, has been active since 2004, primarily targeting high-profile victims such as diplomats and government agencies across Europe, Central Asia, and the Middle East. The extensive history of Turla points to its specialization in sophisticated espionage activities.
Evidence of Collaboration
In 2025, ESET uncovered notable incidents involving both groups. On several compromised systems, Gamaredon’s tools were used to issue commands and deploy Turla’s malware implants. In February, a specific tool known as PteroGraphin was leveraged to recover the Kazuar espionage implant after its malfunction. Further, in April, Gamaredon’s additional tools, PteroOdd and PteroPaste, were identified in the deployment of Kazuar v2 installers.
Targeting Sensitive Intelligence
ESET’s findings indicate a specific focus by Turla on machines that likely contain highly sensitive intelligence, suggesting that the attacks are not indiscriminate but rather targeted. The last recorded incidence of Turla compromising a system in Ukraine was in February 2024, making this recent resurgence significant.
The evidence implies that while Gamaredon has a broad operational scope, Turla is selectively aiming for a limited number of machines that house critical data. This selective targeting raises alarms about the potential risks for sensitive information in Ukraine.
Organizational Links
ESET has strong reason to believe that the two groups are not acting independently. Both are connected to the Russian intelligence service FSB, with Gamaredon linked to Center 18 and Turla associated with Center 16, the principal signals intelligence agency in Russia. This connection underlines their operational synchrony and aims, indicating a well-coordinated effort against their targets.
Historical Context of Collaboration
The collaboration between these two entities is not new; it can be traced back to the Cold War era, illustrating a longstanding relationship between Russian state-sponsored cyber operations. This historical context further emphasizes the strategic nature of their alliance and highlights the persistent cyber threats they pose to nations like Ukraine.
Broader Implications of Cyber Warfare
The implications of these findings extend beyond immediate cybersecurity concerns. With increasing cyber threats from state-sponsored actors, nations must bolster their defenses and develop proactive measures to safeguard sensitive information. Understanding the dynamics between groups like Gamaredon and Turla is essential for formulating effective strategies against such collaborations.
In summary, the revelations of a coordinated effort between these two Russian hacking groups mark a significant chapter in the ongoing cyber conflict, particularly concerning Ukraine. As investigations continue and new technologies emerge, staying vigilant and informed about these actors will be crucial for governments and organizations worldwide.
