But Eset said that the most likely hypothesis lies in the fact that Turl and Gamaredon worked together. “Given that both groups are part of the Russian FSB (although in two different centers), Gamardon provided access to Turla operators so that they could release commands on a specific CAZUAR restart and expand Kazuar V2 on some others,” the company said.
Friday post noted that Gamardon was seen in cooperation with other groups of hacks, in particular, in particular in 2020 With group tracks under the name Invisimole.
According to Socialist-Revolutionaries, in February, the company's researchers noticed four different joint compromises of GamAndon-Turla in Ukraine. On all machines, GamAndon has launched a wide range of tools, including those that were tracked under the names of Pterolnk, PterOstew, Pteroodd, PteroEFFIGY and Pterographin. Turla, for its part, installed version 3 of its patented harmful Kazuar.
ESET software installed on one of the compromised devices was observed by TURLA commands that produce GamAREDON implants.
“The pterograph was used to restart the CAZUAR, possibly after the incident crashed or was not launched automatically,” Eset said. “Thus, Pterographin was probably used as the Turla restoration method. This is the first time we were able to connect these two groups with the help of technical indicators (see the first chain: First chain: Restanating Kazuar V3). “
Then, in April and again in June, Eset said that she discovered that the Kazuar V2 installers were deployed in Gamardon Malire. In all cases, ESET software was installed after compromises, so it was not possible to restore useful loads. Nevertheless, the company said that it believes that active cooperation between groups is the most likely explanation.
“All these elements, and the fact that Gamardon is jealous of hundreds, if not thousands of machines, suggest that Turl is only interested in specific cars, probably those that contain highly sensitive intelligence,” Eset said.
