However ESET stated its probably speculation is that Turla and Gamaredon have been working collectively. “Provided that each teams are a part of the Russian FSB (although in two totally different Facilities), Gamaredon supplied entry to Turla operators in order that they may situation instructions on a selected machine to restart Kazuar, and deploy Kazuar v2 on some others,” the corporate stated.
Friday’s submit famous that Gamaredon has been seen collaborating with different hack teams beforehand, particularly in 2020 with a gaggle ESET tracks below the title InvisiMole.
In February, ESET stated, firm researchers noticed 4 distinct Gamaredon-Turla co-compromises in Ukraine. On the entire machines, Gamaredon deployed a variety of instruments, together with these tracked below the names PteroLNK, PteroStew, PteroOdd, PteroEffigy, and PteroGraphin. Turla, for its half, put in model 3 of its proprietary malware Kazuar.
ESET software program put in on one of many compromised units noticed Turla issuing instructions by means of the Gamaredon implants.
“PteroGraphin was used to restart Kazuar, probably after Kazuar crashed or was not launched mechanically,” ESET stated. “Thus, PteroGraphin was in all probability used as a restoration technique by Turla. That is the primary time that we’ve got been in a position to hyperlink these two teams collectively through technical indicators (see First chain: First chain: Restart of Kazuar v3).”
Then, in April and once more in June, ESET stated it detected Kazuar v2 installers being deployed by Gamaredon malware. In all of the instances, ESET software program was put in after the compromises, so it wasn’t doable to get better the payloads. Nonetheless, the agency stated it believes an energetic collaboration between the teams is the probably clarification.
“All these components, and the truth that Gamaredon is compromising a whole lot if not hundreds of machines, counsel that Turla is solely in particular machines, in all probability ones containing extremely delicate intelligence,” ESET speculated.
