Ukraine subjected to joint Gamaredon, Turla attacks

Russian state-backed advanced persistent threat operations Gamaredon, also known as Callisto, Armageddon, and Primitive Bear, and Turla, also known as Uroburos, Waterbug, and Venomous Bear, have teamed up to compromise organizations across Ukraine in cyberattacks between February and April, reports Security Affairs.

Ukrainian entities have been impacted by four joint Gamaredon and Turla intrusions in February alone, with the former deploying the PteroLNK, PteroOdd, PteroStew, PteroGraphin, and PteroEffigy tools while the latter launched its Kazuar v3 backdoor, according to findings from ESET. Kazuar had been revived by Turla using Gamaredon's implant on one of the targeted Ukrainian systems, resulting in the subsequent launch of Kazuar v2.

Researchers believe that such intrusions involved Turla being given access by Gamaredon operators to enable command injections for Kazuar revivals on certain machines as both groups are under Russia's FSB, rather than Gamaredon having its infrastructure compromised by Turla. Additional details regarding the initial access vector leveraged by Gamaredon remain uncertain.