Skip to content

G0093 GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.123

Item Value
ID G0093
Associated Names Operation Soft Cell
Version 3.0
Created 18 July 2019
Last Modified 12 August 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Operation Soft Cell 1

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.004 Server GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.2
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.1
enterprise T1059.003 Windows Command Shell GALLIUM used the Windows command shell to execute commands.1
enterprise T1136 Create Account -
enterprise T1136.002 Domain Account GALLIUM created high-privileged domain user accounts to maintain access to victim networks.12
enterprise T1005 Data from Local System GALLIUM collected data from the victim’s local system, including password hashes from the SAM hive in the Registry.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.1
enterprise T1041 Exfiltration Over C2 Channel GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data.1
enterprise T1190 Exploit Public-Facing Application GALLIUM exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network.12
enterprise T1133 External Remote Services GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments.12
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.1
enterprise T1105 Ingress Tool Transfer GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.12
enterprise T1570 Lateral Tool Transfer GALLIUM has used PsExec to move laterally between hosts in the target network.2
enterprise T1036 Masquerading -
enterprise T1036.003 Rename System Utilities GALLIUM used a renamed cmd.exe file to evade detection.1
enterprise T1027 Obfuscated Files or Information GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.1
enterprise T1027.002 Software Packing GALLIUM packed some payloads using different types of packers, both known and custom.1
enterprise T1027.005 Indicator Removal from Tools GALLIUM ensured each payload had a unique hash, including by using different types of packers.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.2
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.12
enterprise T1003.002 Security Account Manager GALLIUM used reg commands to dump specific hives from the Windows Registry, such as the SAM hive, and obtain password hashes.1
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy GALLIUM used a modified version of HTRAN to redirect connections between networks.1
enterprise T1018 Remote System Discovery GALLIUM used a modified version of NBTscan to identify available NetBIOS name servers over the network as well as ping to identify remote systems.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task GALLIUM established persistence for PoisonIvy by created a scheduled task.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.12
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.2
enterprise T1016 System Network Configuration Discovery GALLIUM used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers.1
enterprise T1049 System Network Connections Discovery GALLIUM used netstat -oan to obtain information about the victim network connections.1
enterprise T1033 System Owner/User Discovery GALLIUM used whoami and query user to obtain information about the victim user.1
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash GALLIUM used dumped hashes to authenticate to other machines via pass the hash.1
enterprise T1078 Valid Accounts GALLIUM leveraged valid accounts to maintain access to a victim network.1
enterprise T1047 Windows Management Instrumentation GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.1

Software

ID Name References Techniques
S0110 at 1 At:Scheduled Task/Job
S0564 BlackMould 2 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Ingress Tool Transfer System Information Discovery
S0020 China Chopper 12 Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0106 cmd 12 Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Lateral Tool Transfer System Information Discovery
S0040 HTRAN 12 Process Injection Proxy Rootkit
S0100 ipconfig 1 System Network Configuration Discovery
S0002 Mimikatz 12 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0590 NBTscan 1 Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S0039 Net 1 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0097 Ping 1 Remote System Discovery
S1031 PingPull 3 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Timestomp:Indicator Removal Masquerade Task or Service:Masquerading Non-Application Layer Protocol Non-Standard Port System Information Discovery System Network Configuration Discovery
S0013 PlugX 1 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0012 PoisonIvy 12 Application Window Discovery Active Setup:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0029 PsExec 12 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0075 Reg 1 Modify Registry Query Registry Credentials in Registry:Unsecured Credentials
S0005 Windows Credential Editor 2 LSASS Memory:OS Credential Dumping

References

  1. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  2. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. 

  3. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.