Government hackers using publicly available tools to wage international espionage, researchers warn
Publicly available hacking tools were leveraged to conduct an international espionage campaign targeting government victims, security researchers warned Wednesday.
Researchers at Symantec said Wednesday that a suspected state-sponsored hacking group used free tools including Metasploit, a widely available penetration testing framework, to wage operations against diplomatic and military targets without deployment malware.
The hackers avoided using any intrinsically malicious computer software during the campaign, and instead the group relied on legitimate tools for operations that researchers might normally expect to involve sophisticated custom-built code, Symantec’s security response team said in a blog post.
Dubbed “Gallmaker,” the hacking group used the Metasploit framework and free codes available through the online Github site to mount a months-long espionage campaign against targets including several embassies of an unnamed Eastern European country and military and defense targets in the Middle East, Symantec said.
“The tools used by Gallmaker are publicly available and can be used for legitimate purposes,” said Symantec researcher Dick O’Brien. “The fact that they may have legitimate reasons to be on a device means their presence may not necessarily arouse suspicion, hence their appeal to attackers,” he told ZDNet.
“Because they can mount every stage of an attack without resorting to malware, this points to a group who are more knowledgeable and skilled than most espionage groups,” Mr. O’Brien added.
The hackers operated by sending targets booby-trapped documents that are designed to grant them access to recipients’ computers upon being opened, Symantec said. Once successful, Gallmaker then uses Metasploit rather than malware to remotely execute code on those machines, according to the security firm.
Previously discovered espionage campaigns attributed to government hacking groups, including several operated credited to Russian military intelligence, have involved custom malware designed to let attackers exfiltrate data upon infection. Sophisticated malware typically requires significant resources, however, either in the form of talented coders or a budget that affords for purchasing exploits to repurpose.
Absent any clear connections between the European and Middle Eastern targets, the singling out of defense, military and government sectors “appear unlikely to be random or accidental,” but instead bear the hallmarks of an internet-enabled espionage campaign, Symantec said.
Symantec became aware of Gallmaker’s activities though proprietary threat detection technology that uses artificial intelligence and machine learning, the firm said. The technology flagged certain commands as suspicious and subsequently notified Symantec, the company said.
Gallmaker has been operating since at least December 2017 and was observed as recently as June, Symantec said.