Close Menu
Cybercrime and Ransomware

Turla and Gamaredon Join Forces in New Ukrainian Intrusions

Staff WriterBy No Comments3 Mins Read6 Views

Fast Facts

  1. Two Russian state-sponsored hacking groups, Gamaredon and Turla, have collaborated recently in cyberattacks targeting Ukraine, with evidence indicating coordinated use of tools and malware deployment.
  2. Gamaredon, active since 2013 and responsible for thousands of Ukrainian intrusions, used its tools to restart and deploy Turla malware, specifically Kazuar, on Ukrainian systems between February and April 2025.
  3. Turla, active since 2004 and focusing on high-profile targets across Europe, Central Asia, and the Middle East, appears to be selectively targeting high-value Ukrainian machines likely containing sensitive intelligence.
  4. ESET confirms strong organizational ties and long-standing collaboration between the two groups, both linked to Russian intelligence agencies (FSB), with operations dating back to the Cold War era.

Key Challenge

Recent cyberattacks against Ukrainian targets reveal a coordinated effort between two Russian government-backed hacking groups, Gamaredon and Turla, according to findings by cybersecurity firm ESET. Between February and April 2025, Gamaredon’s tools—specifically PteroGraphin, PteroOdd, and PteroPaste—were used not only to recover and restart Turla’s Kazuar espionage implants but also to deploy new versions of Turla malware on several Ukrainian systems. These attacks seem highly targeted, focusing on machines likely containing sensitive intelligence data, as ESET indicates that Turla’s activity was absent from Ukraine since February 2024 and that the recent operations involve complex, orchestrated malware chains. The collaboration is strongly linked to officers from Russia’s Federal Security Service (FSB), with historical ties that date back to the Cold War, underscoring a longstanding and strategic partnership reflecting Russia’s sustained cyber espionage agenda.

Potential Risks

Recent cyberattacks against Ukrainian targets reveal a strategic alliance between two sophisticated Russian state-sponsored threat groups, Gamaredon and Turla, working collaboratively since at least 2013 and 2004, respectively. Using tools deployed by Gamaredon, including the PteroGraphin, PteroOdd, and PteroPaste, Turla’s advanced malware (notably Kazuar) was reactivated on Ukrainian systems between February and April 2025, indicating a targeted focus on high-value, sensitive intelligence assets. The partnership, facilitated by divisions within the Russian FSB—Center 18 for Gamaredon and Center 16 for Turla—reflects a long-standing organizational relationship dating back to the Cold War, enhancing their capacity for espionage, disruption, and data exfiltration. This collaboration underscores a heightened cyber threat landscape where nation-state actors pool resources to execute persistent, sophisticated operations, thereby posing profound security risks to national infrastructure and intelligence assets.

Fix & Mitigation

In the face of emerging alliances like Turla and Gamaredon working together in recent Ukrainian intrusions, prompt remediation becomes crucial to prevent widespread damage, secure sensitive data, and restore trust in affected networks.

Mitigation Steps:

  • Implement advanced intrusion detection systems (IDS) to identify malicious activities early.

Remediation Steps:

  • Conduct thorough forensic investigations to understand breach vectors.
  • Isolate affected systems to prevent further spread.
  • Patch vulnerabilities exploited during the intrusion.
  • Enforce stricter access controls and multifactor authentication.
  • Update and strengthen security protocols and configurations.
  • Educate staff on recognizing spear-phishing and social engineering tactics.
  • Collaborate with cybersecurity experts and government agencies for threat intelligence sharing.

Stay Ahead in Cybersecurity

Stay informed on the latest Threat Intelligence and Cyberattacks.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.