1. Home
  2. Groups
  3. GALLIUM

GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]

ID: G0093
Associated Groups: Granite Typhoon
Contributors: Daniyal Naeem, BT Security; Cybereason Nocturnus, @nocturnus
Version: 4.0
Created: 18 July 2019
Last Modified: 17 April 2024

Associated Group Descriptions

Name Description
Granite Typhoon

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.[1]
Enterprise T1005 从本地系统获取数据

GALLIUM collected data from the victim's local system, including password hashes from the SAM hive in the Registry.[1]
Enterprise T1090 .002 代理: External Proxy

GALLIUM used a modified version of HTRAN to redirect connections between networks.[1]
Enterprise T1036 .003 伪装: Rename System Utilities

GALLIUM used a renamed cmd.exe file to evade detection.[1]
Enterprise T1550 .002 使用备用认证材料: Pass the Hash

GALLIUM used dumped hashes to authenticate to other machines via pass the hash.[1]
Enterprise T1136 .002 创建账户: Domain Account

GALLIUM created high-privileged domain user accounts to maintain access to victim networks.[1][2]
Enterprise T1190 利用公开应用程序漏洞

GALLIUM exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network.[1][2]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.[1]
.003 命令与脚本解释器: Windows Command Shell

GALLIUM used the Windows command shell to execute commands.[1]
Enterprise T1133 外部远程服务

GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments.[1][2]
Enterprise T1560 .001 归档收集数据: Archive via Utility

GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.[1][2]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.[1][2]
.002 操作系统凭证转储: Security Account Manager

GALLIUM used reg commands to dump specific hives from the Windows Registry, such as the SAM hive, and obtain password hashes.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.[1]
Enterprise T1078 有效账户

GALLIUM leveraged valid accounts to maintain access to a victim network.[1]
Enterprise T1505 .003 服务器软件组件: Web Shell

GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.[1][2]
Enterprise T1570 横向工具传输

GALLIUM has used PsExec to move laterally between hosts in the target network.[2]
Enterprise T1027 混淆文件或信息

GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[1]
.002 Software Packing

GALLIUM packed some payloads using different types of packers, both known and custom.[1]
.005 Indicator Removal from Tools

GALLIUM ensured each payload had a unique hash, including by using different types of packers.[1]
Enterprise T1033 系统所有者/用户发现

GALLIUM used whoami and query user to obtain information about the victim user.[1]
Enterprise T1049 系统网络连接发现

GALLIUM used netstat -oan to obtain information about the victim network connections.[1]
Enterprise T1016 系统网络配置发现

GALLIUM used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers.[1]
Enterprise T1583 .004 获取基础设施: Server

GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.[2]
Enterprise T1588 .002 获取能力: Tool

GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.[2]
Enterprise T1105 输入工具传输

GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[1][2]
Enterprise T1018 远程系统发现

GALLIUM used a modified version of NBTscan to identify available NetBIOS name servers over the network as well as ping to identify remote systems.[1]
Enterprise T1041 通过C2信道渗出

GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

GALLIUM established persistence for PoisonIvy by created a scheduled task.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.[2]

Software

ID Name References Techniques
S0110 at [1] 预定任务/作业: At
S0564 BlackMould [2] 从本地系统获取数据, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 文件和目录发现, 系统信息发现, 输入工具传输
S0020 China Chopper [1][2] 从本地系统获取数据, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 文件和目录发现, 暴力破解: Password Guessing, 服务器软件组件: Web Shell, 混淆文件或信息: Software Packing, 移除指标: Timestomp, 网络服务发现, 输入工具传输
S0106 cmd [1][2] 命令与脚本解释器: Windows Command Shell, 文件和目录发现, 横向工具传输, 移除指标: File Deletion, 系统信息发现, 输入工具传输
S0040 HTRAN [1][2] Rootkit, 代理, 进程注入
S0100 ipconfig [1] 系统网络配置发现
S0002 Mimikatz [1][2] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0590 NBTscan [1] 系统所有者/用户发现, 系统网络配置发现, 网络嗅探, 网络服务发现, 远程系统发现
S0039 Net [1] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0097 Ping [1] 远程系统发现
S1031 PingPull [3] 从本地系统获取数据, 伪装: Masquerade Task or Service, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 移除指标: Timestomp, 系统信息发现, 系统网络配置发现, 通过C2信道渗出, 非应用层协议, 非标准端口
S0013 PlugX [1] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S0012 PoisonIvy [1][2] Rootkit, 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Active Setup, 命令与脚本解释器: Windows Command Shell, 应用窗口发现, 执行保护: Mutual Exclusion, 数据分段: Local Data Staging, 混淆文件或信息, 输入工具传输, 输入捕获: Keylogging, 进程注入: Dynamic-link Library Injection
S0029 PsExec [1][2] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0075 Reg [1] 修改注册表, 未加密凭证: Credentials in Registry, 查询注册表
S0005 Windows Credential Editor [2] 操作系统凭证转储: LSASS Memory

References

  1. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  2. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  1. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.