When two state-linked hacking teams begin sharing code and operational tricks, defenders face a thorny question: who is running the playbook, and who is being targeted? Recent research from ESET reveals that Russian-linked groups Gamaredon and Turla are no longer operating in isolated lanes. Instead, their tools and techniques are flowing between campaigns that focus on Ukrainian government bodies, military-related organizations, and NGOs supporting Ukraine — a development that amplifies risk and complicates both defense and policy responses.
Gamaredon and Turla: Shared tooling, shared targets
Gamaredon and Turla have very different origins and styles, yet ESET’s analysis shows a growing operational overlap. Gamaredon (also tracked as Primitive Bear) has long carried out fast, opportunistic intrusions and phishing operations aimed primarily at Ukrainian targets since the early 2010s. Turla (also known as Snake or Uroburos) is older and more sophisticated, specializing in long-term, stealthy intelligence collection against governments and diplomatic organizations across the globe. The recent findings suggest these distinctions are blurring: mature implants, loaders, and administrative scripts associated with Turla are appearing in Gamaredon campaigns, while Gamaredon’s localized phishing and targeting intelligence are proving useful to Turla-like operations.
What ESET found and why it matters
ESET documented reuse of components, overlapping deployment patterns, and infrastructure ties that make independent origins unlikely. Analysts tied the activity to FSB-affiliated interests through code similarities, shared command-and-control resources, and targeting that aligns with Russian state objectives. This is not mere coincidence; the reuse of toolsets implies coordination or at least a deliberate sharing of capabilities.
Operational advantages for attackers are clear. Shared toolkits reduce development time and lower skill thresholds, enabling opportunistic groups to scale attacks faster. At the same time, sophisticated actors benefit from localized intelligence and the volume of access generated by lower-tier teams. For defenders, the consequences are double-edged: reusable components can create predictable fingerprints that improve detection, but familiar code can also hide new capabilities, increasing dwell time and the chances of mission success.
Strategic implications: beyond tech to policy
Collaboration between groups like Gamaredon and Turla raises hard questions for policymakers. When actors linked to the same national intelligence apparatus perform complementary roles — reconnaissance, access, persistence, exfiltration — distinguishing between espionage and hybrid warfare becomes difficult. Traditional responses such as law enforcement takedowns or indictments lose potency if groups simply pivot or resupply tools from allied clusters. Responses may need to combine technical disruption with diplomacy, economic sanctions, and stronger international coordination on cyber norms and resilience.
Defensive playbook: practical steps for organizations
For Ukrainian organizations and supporting partners, the immediate risks are practical: increased phishing, credential theft, and targeted espionage against relief operations, supply chains, and governance structures. Practical defensive measures remain essential:
– Enforce multi-factor authentication and strong password policies.
– Prioritize patching and vulnerability management to reduce exploit windows.
– Segment networks and apply least-privilege principles to limit lateral movement.
– Deploy threat hunting informed by indicators of compromise shared by vendors and CERTs.
– Invest in incident response capability and rapid information-sharing channels.
These measures are vital, but unequal resource distribution means many potential targets — smaller NGOs, local administrations — will remain vulnerable without sustained international support and intelligence sharing.
Wider consequences for the cyber ecosystem
Tool-sharing accelerates the commoditization of advanced malware, narrowing the gap between elite and mid-tier threat actors. That trend increases global risk: techniques refined in Ukraine can migrate to other theaters, affecting allies and civilian infrastructure worldwide. The cyber domain is transnational by nature; a technique developed for espionage in one region can quickly be repurposed for sabotage or crime elsewhere.
Opportunities for defenders
There is also an upside for defenders. Shared tooling produces repeatable fingerprints that security vendors and incident response teams can exploit to create signatures, playbooks, and detection rules. Cross-industry collaboration and public-private partnerships can amplify these defensive gains — provided threat intelligence is timely, actionable, and widely distributed.
What comes next: deterrence, resilience, and coordination
If Gamaredon and Turla’s coordination quietly expands Moscow’s intelligence reach, the urgent question shifts from pure attribution to resilience: how will democracies harden their networks, deter state-backed collaboration, and protect institutions that support open societies? Technical mitigations must be matched by diplomatic pressure, sanctions where appropriate, and deepened cooperation among NATO, EU, and partner cyber-defenders. Strengthening critical infrastructure, funding defensive capabilities for vulnerable organizations, and sustaining information-sharing mechanisms will be crucial.
Conclusion
The emerging collaboration between Gamaredon and Turla shows how state-linked actors can multiply their effectiveness by sharing tools and tradecraft. That coordination raises the stakes for defenders, policymakers, and the international community. Addressing the threat requires a blend of technical defenses, intelligence sharing, and strategic policy responses — and a recognition that cyber-espionage coordination is as much a geopolitical instrument as it is a technical challenge.




