Symantec said it has discovered previously unknown cyber attackers zeroing in on government and military organizations, including embassies of an Eastern European country and Middle East military and defense targets, in a suspected espionage campaign.
Gallmaker is the name the security provider has given the hacking group. Symantec, which said it used its cloud-based artificial intelligence analytics technology to uncover the cyber spies, believes the crew has been operating only since December 2017, with its most recent activity occurring last June. As far as Symantec can tell, all of Gallmaker’s victims are in the government, military or defense sectors. Several are embassies of an Eastern European country located in different regions worldwide but all have the same home country. So far, Gallmaker has not been linked to a sponsoring government or nation state.
The bad actors are using an increasingly popular hacking tactic, scorning custom malware to infect its targets and instead relying on publicly available hacking tools and software already installed on targeted computers, Symantec’s researchers said in a blog post. The techniques are known as “living off the land” and can be difficult for traditional security tools to detect. Attackers are hoping to hide in plain sight, with their malicious activity hidden in legitimate processes, Symantec said. It’s a strategy also reportedly used by the notorious Lazarus hackers linked to North Korean operatives.
“Gallmaker bears the hallmarks of a highly targeted cyber espionage campaign supported by a nation-state,” said Greg Clark, Symantec CEO. “They try to stay covert, hiding in plain sight by using tools and techniques that make its activities extremely hard to detect." Clark said that Symantec has been working with the organizations targeted by Gallmaker, government authorities and law enforcement.
The group takes a number of steps to gain access to a victim’s device and then deploys several different attack tools, Symantec detailed in its blog post.
- Delivers a malicious Microsoft Office lure document to victims, most likely via a spear-phishing email.
- The documents use titles with government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages. These documents are not very sophisticated, but evidence of infections shows that they’re effective. The attackers use filenames that would be of interest to a variety of targets in Eastern Europe.
- The documents attempt to exploit the Microsoft Office Dynamic Data Exchange (DDE) protocol to gain access to victims’ machines. If a user enables the content, the attackers use the DDE protocol to remotely execute commands in memory on the victim’s system. By running solely in memory, the attackers’ steps are difficult to detect. They may be deleting some tools to hide any trace of the intrusion.
- Once the Gallmaker attackers gain access to a device, they execute a variety of tools.
Symantec said last week that it has uncovered previously unknown malware used by the North Korea-linked Lazarus group in large cyber robberies from automated teller machines (ATMs) worldwide. The notorious hacking crew is now a serious threat to the banking industry, deploying newly uncovered malicious code, known as Trojan.Fastcash, to infect cash machines and make off with millions of dollars, Symantec said. Lazarus has been tied to the infamous attack on Sony Pictures in 2014 that cost the studio millions, the $81 million heist from the Bangladesh Central Bank in 2016 and the destructive WannaCry ransomware assault last year.