Gamaredon-Turla Operational Collaboration Signals Rare FSB-Linked Espionage Coordination Against Ukraine
ESET researchers have documented direct operational cooperation between Gamaredon and Turla, two FSB-linked threat actors, with Gamaredon facilitating initial access for Turla against Ukrainian targets in 2025. This represents an unusual departure from typical competitive dynamics between state-sponsored groups and suggests coordinated Russian intelligence operations.
Affected
The documented coordination between Gamaredon and Turla represents a significant shift in observed threat actor behaviour. Historically, state-sponsored groups maintain operational separation to provide plausible deniability and to compartmentalise intelligence collection objectives. This collaboration suggests either explicit FSB direction to coordinate efforts or resource constraints forcing integration of distinct operational cells. Gamaredon's primary role as a facilitator of initial compromise for downstream Turla operations indicates mature operational planning and shared targeting intelligence.
From a technical standpoint, the handoff mechanism between actors reveals important details about Russian operational tradecraft. Gamaredon likely maintained persistent access or established beachheads that Turla then leveraged for deeper network penetration and espionage objectives. This staging approach is more efficient than parallel compromise attempts and suggests pre-coordination rather than opportunistic collaboration. The intelligence value to Russian services is substantial: initial reconnaissance and persistence via Gamaredon, followed by sophisticated collection via Turla's established capabilities.
Ukrainian organisations and NATO-aligned entities should assume that any Gamaredon compromise now carries elevated risk of secondary compromise by advanced Turla operators. This breaks the traditional threat model where organisations might tolerate low-sophistication initial access if they believed more advanced actors were not downstream. The convergence means defending against Gamaredon now requires assuming post-breach operations by a separate, highly capable adversary. This has operational implications for incident response timelines and investigation scope.
Defenders should prioritise detection of handoff indicators: lateral movement patterns that diverge sharply from Gamaredon's typical behaviour, deployment of Turla-attributed tools or infrastructure following Gamaredon compromise, and anomalous command and control patterns. Network segmentation becomes critical to prevent Gamaredon footholds from serving as pivot points. Ukrainian critical infrastructure operators should review access logs for evidence of both actors and treat any Gamaredon incident as a potential Turla staging ground unless proven otherwise.
The broader implication is that Russian intelligence operations are becoming more coordinated under pressure. As Ukraine's defensive capabilities have improved and NATO support has increased, Russian services appear to be abandoning inefficient redundancy in favour of integrated operations. This represents genuine escalation in sophistication, not merely in firepower but in strategic coordination. Expect this pattern to persist and potentially expand to other FSB-aligned actors.
Sources