Symantec Corporation has discovered a previously unknown attack group with the help of the firm’s artificial intelligence-based Targeted Attack Analytics (TAA) technology. Dubbed Gallmaker, Symantec researchers discovered the group targets government and military organizations, including several overseas embassies of an Eastern European country and military and defense targets in the Middle East.
Gallmaker shuns malware to compromise organizations, instead relying on publicly available hack tools and software already installed on targeted computers. Such techniques, known as living off the land, have become increasingly popular for attackers, as they can be difficult for traditional security tools to detect. Gallmaker notably sends a Microsoft Office document that would be of interest to the organizations it seeks to compromise, exploiting an unsecure protocol in Office to gain access to victim machines, thus infiltrating their network. The group has been operating since at least December 2017, with its most recent activity observed in June 2018.
“Gallmaker bears the hallmarks of a highly targeted cyber espionage campaign supported by a nation-state,” said Greg Clark, Symantec CEO. “They try to stay covert, hiding in plain sight by using tools and techniques that make its activities extremely hard to detect. The group might have continued to go undetected were it not for Symantec’s AI-based Targeted Attack Analytics technology, alerting Symantec’s Attack Investigations Team to the workings of this highly sophisticated and well-orchestrated group. We have been working closely with the organizations targeted by Gallmaker as well as relevant government authorities and law enforcement as appropriate.”
TAA combines the capabilities of Symantec’s security experts with advanced artificial intelligence and machine learning to provide organizations with their own “virtual analysts.” Since its inception, TAA has detected security incidents at thousands of organizations. In this latest discovery, TAA identified the specific PowerShell commands used by Gallmaker as being suspicious.