Symantec uncovers new cyber espionage group targeting government, military and defense sectors
Nov 15, 2018
MOUNTAIN VIEW, Calif.--(BUSINESS WIRE)-- Symantec Corp. (NASDAQ: SYMC), the world’s leading cyber security company, has discovered a previously unknown attack group with the help of Symantec’s artificial intelligence-based Targeted Attack Analytics (TAA) technology. Dubbed Gallmaker, Symantec researchers discovered the group targets government and military organizations, including several overseas embassies of an Eastern European country and military and defense targets in the Middle East.
Gallmaker shuns malware to compromise organizations, instead relying on publicly available hack tools and software already installed on targeted computers. Such techniques, known as living off the land, have become increasingly popular for attackers, as they can be difficult for traditional security tools to detect. Gallmaker notably sends a Microsoft Office document that would be of interest to the organizations it seeks to compromise, exploiting an unsecure protocol in Office to gain access to victim machines, thus infiltrating their network. The group has been operating since at least December 2017, with its most recent activity observed in June 2018.
“Gallmaker bears the hallmarks of a highly targeted cyber espionage campaign supported by a nation-state,” said Greg Clark, Symantec CEO. “They try to stay covert, hiding in plain sight by using tools and techniques that make its activities extremely hard to detect. The group might have continued to go undetected were it not for Symantec’s AI-based Targeted Attack Analytics technology, alerting Symantec’s Attack Investigations Team to the workings of this highly sophisticated and well-orchestrated group. We have been working closely with the organizations targeted by Gallmaker as well as relevant government authorities and law enforcement as appropriate.”
Targeted Attack Analytics (TAA) combines the capabilities of Symantec’s world-leading security experts with advanced artificial intelligence and machine learning to provide organizations with their own “virtual analysts.” Since its inception, TAA has detected security incidents at thousands of organizations, automating what would normally have taken many hours of analyst time. In this latest discovery, TAA identified the specific PowerShell commands used by Gallmaker as being suspicious.
While Gallmaker’s activity appears to be highly targeted, it serves as a reminder to all organizations that they must remain vigilant against the growing threat of attackers utilizing tactics to stay undetected. To take a more active defense against such attacks, enterprises will soon be able to use Symantec’s Targeted Attack Analytics, enabling customers to leverage advanced machine learning to automate the discovery of targeted attacks using living off the land tactics.
Stay up to date with the latest industry developments: sign up to receive TelecomTV's top news and videos plus exclusive subscriber-only content direct to your inbox – including our daily news briefing and weekly wrap.