Symantec reveals state-sponsored group that doesn’t care for malware

The hacking group, dubbed "Gallmaker," has been going after diplomatic and military targets in a campaign that researchers say is difficult to detect.
(Getty Images)

A newly revealed hacking group has been going after diplomatic and military targets in a malware-less campaign that researchers say makes it difficult to detect.

Over the last 10 months, the so-called Gallmaker group has conducted what appear to be cyber-espionage operations against several embassies belonging to an Eastern European country, according to research from cybersecurity company Symantec published Wednesday. The group, which researchers say is likely state-sponsored, has also targeted military and defense organizations in the Middle East.

“The type of targets seen in the attacks really fit that of what an espionage group would be interested in,” Jon DiMaggio, senior threat intelligence analyst at Symantec, told CyberScoop. “If simply for financial gain, it would be odd to restrict targets to diplomatic, military and defense personnel.” Gallmaker’s end goal appears to collecting intelligence on its targets in the form of documents and communications, according to DiMaggio.

Gallmaker’s hackers use “living off the land” tactics — or tools already installed on target computers — that leave less of a footprint in the hopes of avoiding detection. Symantec has warned that such tactics are on the rise. “Often this activity will blend in with legitimate operational activity conducted by administrators,” DiMaggio said.


Gallmaker’s operatives have sent Microsoft Office documents with military and diplomatic themes in their titles in an attempt to exploit an Office protocol according to Symantec. “These documents are not very sophisticated, but evidence of infections shows that they’re effective,” a company blog post says.

Last year, researchers from SensePost pointed out that the protocol, known as Dynamic Data Exchange (DDE), could be exploited by attackers to open executable programs and run commands. Microsoft issued a patch in December, but Symantec says Gallmaker’s victims have not had that patch in place.

“When the victim opens the lure document, a warning appears asking victims to ‘enable content,'” the Symantec blog states. “Should a user enable this content, the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim’s system.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts