Russian APT Gamaredon Facilitates Turla Espionage Operations Against Ukrainian Government (2025)
What Happened — ESET researchers presented technical evidence that the Gamaredon group acted as an access broker for the Turla APT, using its custom tools (PteroGraphin, PteroOdd) to implant Turla’s Kazuar backdoor on high‑value Ukrainian military and government systems between February and June 2025. In at least one case Gamaredon restored Turla’s foothold after it had been lost.
Why It Matters for TPRM —
- State‑aligned actors are actively sharing access, increasing the attack surface for any third‑party that supplies software or services to Ukrainian entities.
- The collaboration demonstrates a “division of labor” model that can be replicated across supply‑chain relationships, making traditional perimeter controls insufficient.
- Continuous monitoring of threat‑actor tactics is essential for vendors that support government or critical‑infrastructure customers in conflict zones.
Who Is Affected — Government ministries, defense agencies, and any vendors providing network, communications, or cloud services to Ukrainian public‑sector organizations.
Recommended Actions —
- Review contracts with Ukrainian government customers for clauses addressing state‑sponsored threat exposure.
- Validate that your organization enforces strict email‑security controls (anti‑phishing, DMARC, attachment sandboxing).
- Implement threat‑intel feeds that flag Gamaredon and Turla indicators of compromise (IOCs) and integrate them into SIEM/EDR.
- Conduct red‑team exercises that simulate access‑brokerage scenarios to test detection and response.
Technical Notes — The attack chain began with spear‑phishing emails delivering Gamaredon’s lightweight loaders (PteroGraphin/PteroOdd). Those loaders dropped Turla’s Kazuar v2/v3 backdoor, which provides long‑term persistence, credential theft, and lateral movement. No public CVEs were cited; the operation relied on custom, undocumented tooling. Source: SentinelOne Labs – LABScon25 Replay