Introduction
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers. Cybereason Soft Cell June 2019 Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors. Cybereason Soft Cell June 2019 Microsoft GALLIUM December 2019 Unit 42 PingPull Jun 2022
Activities and Tactics
Country of Origin: 🇨🇳 China
Notable Campaigns
- Soft Cell
Tactics, Techniques, and Procedures (TTPs)
- T1059.003 Windows Command Shell
- T1003.002 Security Account Manager
- T1078 Valid Accounts
- T1053.005 Scheduled Task
- T1027 Obfuscated Files or Information
- T1553.002 Code Signing
- T1041 Exfiltration Over C2 Channel
- T1005 Data from Local System
- T1574.001 DLL
- T1588.002 Tool
- T1047 Windows Management Instrumentation
- T1136.002 Domain Account
- T1583.004 Server
- T1133 External Remote Services
- T1027.002 Software Packing
- T1505.003 Web Shell
- T1003.001 LSASS Memory
- T1560.001 Archive via Utility
- T1059.001 PowerShell
- T1570 Lateral Tool Transfer
- T1027.005 Indicator Removal from Tools
- T1090.002 External Proxy
- T1049 System Network Connections Discovery
- T1074.001 Local Data Staging
- T1033 System Owner/User Discovery
- T1190 Exploit Public-Facing Application
- T1016 System Network Configuration Discovery
- T1105 Ingress Tool Transfer
- T1018 Remote System Discovery
- T1550.002 Pass the Hash
- T1036.003 Rename Legitimate Utilities
ATT&CK technique IDs (denormalized)
- T1003.001
- T1003.002
- T1005
- T1016
- T1018
- T1027
- T1027.002
- T1027.005
- T1033
- T1036.003
- T1041
- T1047
- T1049
- T1053.005
- T1059.001
- T1059.003
- T1074.001
- T1078
- T1090.002
- T1105
- T1133
- T1136.002
- T1190
- T1505.003
- T1550.002
- T1553.002
- T1560.001
- T1570
- T1574.001
- T1583.004
- T1588.002
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Xploit
- BlackMould:
- China Chopper:
- PoisonIvy:
- QuarkBandit:
- Htran:
- NBTScan:
- PsExec:
- Winrar:
- Netcat:
MITRE ATT&CK Software
- ipconfig (S0100) — tool
- Ping (S0097) — tool
- cmd (S0106) — tool
- China Chopper (S0020) — malware
- PoisonIvy (S0012) — malware
- at (S0110) — tool
- PlugX (S0013) — malware
- PingPull (S1031) — malware
- BlackMould (S0564) — malware
- Mimikatz (S0002) — tool
- Net (S0039) — tool
- Reg (S0075) — tool
- PsExec (S0029) — tool
- HTRAN (S0040) — tool
- NBTscan (S0590) — tool
- Windows Credential Editor (S0005) — tool
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] mitre-attack [4] Cybereason Soft Cell June 2019 Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. [5] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [6] Microsoft GALLIUM December 2019 MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. [7] Unit 42 PingPull Jun 2022 Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.