Press Release Details

Symantec Uncovers New Cyber Espionage Group Targeting Government, Military and Defense Sectors


Symantec’s Artificial Intelligence-based Targeted Attacks Analytics spotted the previously unknown Gallmaker group and its under-the-radar techniques

MOUNTAIN VIEW, Calif.--(BUSINESS WIRE)-- Symantec Corp. (NASDAQ: SYMC), the world’s leading cyber security company, has discovered a previously unknown attack group with the help of Symantec’s artificial intelligence-based Targeted Attack Analytics (TAA) technology. Dubbed Gallmaker, Symantec researchers discovered the group targets government and military organizations, including several overseas embassies of an Eastern European country and military and defense targets in the Middle East.

Gallmaker shuns malware to compromise organizations, instead relying on publicly available hack tools and software already installed on targeted computers. Such techniques, known as living off the land, have become increasingly popular for attackers, as they can be difficult for traditional security tools to detect. Gallmaker notably sends a Microsoft Office document that would be of interest to the organizations it seeks to compromise, exploiting an unsecure protocol in Office to gain access to victim machines, thus infiltrating their network. The group has been operating since at least December 2017, with its most recent activity observed in June 2018.

“Gallmaker bears the hallmarks of a highly targeted cyber espionage campaign supported by a nation-state,” said Greg Clark, Symantec CEO. “They try to stay covert, hiding in plain sight by using tools and techniques that make its activities extremely hard to detect. The group might have continued to go undetected were it not for Symantec’s AI-based Targeted Attack Analytics technology, alerting Symantec’s Attack Investigations Team to the workings of this highly sophisticated and well-orchestrated group. We have been working closely with the organizations targeted by Gallmaker as well as relevant government authorities and law enforcement as appropriate.”

Targeted Attack Analytics (TAA) combines the capabilities of Symantec’s world-leading security experts with advanced artificial intelligence and machine learning to provide organizations with their own “virtual analysts.” Since its inception, TAA has detected security incidents at thousands of organizations, automating what would normally have taken many hours of analyst time. In this latest discovery, TAA identified the specific PowerShell commands used by Gallmaker as being suspicious.

While Gallmaker’s activity appears to be highly targeted, it serves as a reminder to all organizations that they must remain vigilant against the growing threat of attackers utilizing tactics to stay undetected. To take a more active defense against such attacks, enterprises will soon be able to use Symantec’s Targeted Attack Analytics, enabling customers to leverage advanced machine learning to automate the discovery of targeted attacks using living off the land tactics.

Helpful Links:

  • Read our blog on the Gallmaker research here
  • Learn more about Symantec’s Targeted Attack Analytics here
  • Learn more about the increase in Living Off The Land tactics here

About Symantec

Symantec Corporation (NASDAQ: SYMC), the world's leading cyber security company, helps organizations, governments and people secure their most important data wherever it lives. Organizations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and infrastructure. Likewise, a global community of more than 50 million people and families rely on Symantec's Norton and LifeLock product suites to protect their digital lives at home and across their devices. Symantec operates one of the world's largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats. For additional information, please visit or connect with us on Facebook, Twitter, and LinkedIn.

Jennifer Duffourg, +33 6 73 06 50 43
Jenn Foss, 503-471-6804

Source: Symantec Corp.