Symantec discovers new cyber espionage group targeting government, military and defense sectors

Symantec Corp. has discovered a previously unknown attack group with the help of Symantec’s artificial intelligence-based Targeted Attack Analytics (TAA) technology. Dubbed Gallmaker, Symantec researchers discovered the group targets government and military organizations, including several overseas embassies of an Eastern European country and military and defense targets in the Middle East.

Gallmaker shuns malware to compromise organizations, instead relying on publicly available hack tools and software already installed on targeted computers. Such techniques, known as living off the land, have become increasingly popular for attackers, as they can be difficult for traditional security tools to detect.

Gallmaker notably sends a Microsoft Office document that would be of interest to the organizations it seeks to compromise, exploiting an unsecure protocol in Office to gain access to victim machines, thus infiltrating their network. The group has been operating since at least December 2017, with its most recent activity observed in June 2018.

Targeted Attack Analytics (TAA) combines the capabilities of Symantec’s world-leading security experts with advanced artificial intelligence and machine learning to provide organizations with their own “virtual analysts.” Since its inception, TAA has detected security incidents at thousands of organizations, automating what would normally have taken many hours of analyst time. In this latest discovery, TAA identified the specific PowerShell commands used by Gallmaker as being suspicious.

While Gallmaker’s activity appears to be highly targeted, it serves as a reminder to all organizations that they must remain vigilant against the growing threat of attackers utilizing tactics to stay undetected.

To take a more active defense against such attacks, enterprises will soon be able to use Symantec’s Targeted Attack Analytics, enabling customers to leverage advanced machine learning to automate the discovery of targeted attacks using living off the land tactics.

“Gallmaker bears the hallmarks of a highly targeted cyber espionage campaign supported by a nation-state,” said Greg Clark, Symantec CEO. “They try to stay covert, hiding in plain sight by using tools and techniques that make its activities extremely hard to detect. The group might have continued to go undetected were it not for Symantec’s AI-based Targeted Attack Analytics technology, alerting Symantec’s Attack Investigations Team to the workings of this highly sophisticated and well-orchestrated group. We have been working closely with the organizations targeted by Gallmaker as well as relevant government authorities and law enforcement as appropriate.”


IoT Innovator Newsletter

Get the latest updates and industry news in your inbox! Enter your email address and name below to be the first to know.