Collaborative Malware Attacks by Russia’s FSB Hack Groups Pose Significant Threat to High-Value Devices
Security researchers have discovered a concerning trend in recent malware attacks targeting high-value devices in Ukraine, with two of the Kremlin’s most active hacking units collaborating on these operations. The groups involved are Turla and Gamaredon, both of which are widely assessed to be units of Russia’s FSB (Federal Security Service), the country’s chief security agency and successor of the Soviet Union’s KGB.
Turla is considered one of the world’s most sophisticated advanced persistent threats (APT) due to its well-organized and well-funded nature. The group has been linked to several high-profile breaches, including the US Department of Defense in 2008, Germany’s Foreign Office, and France’s military. Turla is known for conducting narrowly targeted attacks on high-value targets while maintaining a low profile.
On the other hand, Gamaredon is an APT that conducts much wider-scale operations, often targeting organizations in Ukraine. Unlike Turla, Gamaredon doesn’t seem to care about being detected and linked to the Russian government. Its malware generally aims to collect as much information from targets as possible over a short period of time.
Security firm ESET has spotted both groups’ malware being installed alongside each other or interoperating on multiple devices in recent months. While it is possible that Turla may have hijacked Gamaredon’s infrastructure, ESET believes the most likely hypothesis is that the two groups were working together. According to ESET, Gamaredon provided access to Turla operators so they could issue commands on a specific machine to restart Kazuar and deploy Kazuar v2 on others.
This collaboration raises concerns about the capabilities of these APTs and their potential impact on high-value devices in Ukraine and beyond. Both groups have been seen collaborating with other hack groups previously, highlighting the complex web of relationships within the world of nation-state hacking.
Technical Details of the Collaboration
ESET researchers have identified several technical indicators that suggest a collaboration between Turla and Gamaredon. For example, they observed PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin tools being deployed by Gamaredon on compromised machines. On the other hand, Turla installed version 3 of its proprietary malware Kazuar.
In one instance, ESET software installed on a compromised device observed Turla issuing commands through the Gamaredon implants. Specifically, PteroGraphin was used to restart Kazuar possibly after it crashed or was not launched automatically. This is believed to be the first time that these two groups have been linked together via technical indicators.
Furthermore, in April and June, ESET detected Kazuar v2 installers being deployed by Gamaredon malware. While it was not possible to recover the payloads due to ESET software being installed after the compromises, the firm believes an active collaboration between the groups is the most likely explanation.
The Significance of This Collaboration
This discovery highlights the growing sophistication and complexity of nation-state hacking operations. The fact that Turla and Gamaredon are collaborating on these attacks raises concerns about their potential impact on high-value devices in Ukraine and beyond. It also underscores the need for continued vigilance and cooperation among security researchers, governments, and organizations to combat these threats.
As ESET speculated, "All those elements, and the fact that Gamaredon is compromising hundreds if not thousands of machines, suggest that Turla is interested only in specific machines, probably ones containing highly sensitive intelligence." This emphasis on high-value targets highlights the potential for significant damage and data loss.
Conclusion
The collaboration between Turla and Gamaredon represents a significant development in the world of nation-state hacking. As these groups continue to operate with impunity, it is essential that security researchers, governments, and organizations work together to combat these threats. By understanding the technical details of this collaboration and the significance of this partnership, we can better prepare ourselves for the challenges ahead and mitigate the impact of these attacks.
The fact that these two groups are working together raises concerns about their potential capabilities and the potential damage they could cause. As we move forward in addressing these threats, it is crucial to prioritize cooperation, vigilance, and innovation in our efforts to protect high-value devices from these sophisticated APTs.