However ESET stated its almost certainly speculation is that Turla and Gamaredon have been working collectively. “On condition that each teams are a part of the Russian FSB (although in two totally different Facilities), Gamaredon offered entry to Turla operators in order that they might challenge instructions on a selected machine to restart Kazuar, and deploy Kazuar v2 on some others,” the corporate stated.
Friday’s submit famous that Gamaredon has been seen collaborating with different hack teams beforehand, particularly in 2020 with a gaggle ESET tracks below the identify InvisiMole.
In February, ESET stated, firm researchers noticed 4 distinct Gamaredon-Turla co-compromises in Ukraine. On the entire machines, Gamaredon deployed a variety of instruments, together with these tracked below the names PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin. Turla, for its half, put in model 3 of its proprietary malware Kazuar.
ESET software program put in on one of many compromised units noticed Turla issuing instructions via the Gamaredon implants.
“PteroGraphin was used to restart Kazuar, probably after Kazuar crashed or was not launched mechanically,” ESET stated. “Thus, PteroGraphin was most likely used as a restoration technique by Turla. That is the primary time that we now have been in a position to hyperlink these two teams collectively through technical indicators (see First chain: First chain: Restart of Kazuar v3).”
Then, in April and once more in June, ESET stated it detected Kazuar v2 installers being deployed by Gamaredon malware. In all of the circumstances, ESET software program was put in after the compromises, so it wasn’t attainable to recuperate the payloads. Nonetheless, the agency stated it believes an lively collaboration between the teams is the almost certainly rationalization.
“All these parts, and the truth that Gamaredon is compromising lots of if not hundreds of machines, recommend that Turla is solely in particular machines, most likely ones containing extremely delicate intelligence,” ESET speculated.
