Russian Hacking Groups Unite: Coordinated Attacks on Ukraine’s Cybersecurity Infrastructure

Russian Hacking Groups Join Forces in Coordinated Attacks on Ukraine Russian state-backed hacking groups Gamaredon and Turla have formed an unprecedented collaboration to target Ukrainian entities, according to new research from cybersecurity firm ESET. The joint operations, discovered in early 2025, mark a significant escalation in advanced persistent threat activities against critical infrastructure. The partnership represents the first confirmed instance of major Russian cyber units working together, highlighting an evolved threat to Ukraine's digital infrastructure since Russia's 2022 invasion. These attacks demonstrate how cybersecurity threats continue to evolve and impact national security. Sophisticated Attack Chain Revealed ESET researchers uncovered evidence showing Gamaredon's tools being used to deploy Turla's advanced Kazuar backdoor malware on Ukrainian systems. The attacks primarily targeted Ukraine's defense sector through a multi-stage infection process. These sophisticated attacks often utilize multiple types of malware to penetrate defense systems. "PteroGraphin was used as a recovery method by Turla," explained ESET researchers Matthieu Faou and Zoltán Rusnák. The attack chain involved multiple specialized tools: PteroGraphin: A PowerShell-based tool using Excel add-ins for persistence PteroOdd: A custom downloader retrieving payloads via Telegraph Kazuar: A sophisticated .NET-based backdoor with extensive surveillance capabilities Expanded Reach and Impact The collaborative attacks have been detected on seven Ukrainian machines over 18 months, with four systems compromised in January 2025 alone. The latest version of Kazuar (v3) deployed in these attacks includes: 35% more code than previous versions New network transport methods using web sockets Enhanced Exchange Web Services capabilities Advanced system information gathering features According to Microsoft's Digital Defense Report, state-sponsored attacks have increased by 40% in the past year, with Russian groups being particularly active. Defensive Measures and Recommendations Organizations can take several steps to defend against these sophisticated attacks: Implement robust email filtering to prevent spear-phishing attempts, a common initial access vector Monitor for suspicious PowerShell activity and Excel add-in installations Deploy endpoint detection solutions capable of identifying known Gamaredon and Turla tools The discovery of this collaboration between Russian state hackers signals a concerning trend in cyber warfare capabilities. Organizations, especially those in Ukraine's critical infrastructure sectors, should heighten their security awareness and strengthen their defensive measures against these evolving threats. This joint operation demonstrates how nation-state actors are combining resources and expertise to achieve their strategic objectives through cyber means. Security teams worldwide should study these tactics to better prepare for similar collaborative attacks in the future.