🇨🇳

GALLIUM

APT Group Information theft and espionage ETDA ✓

Also Known As 5 names

Alloy Taurus Granite Typhoon Operation Soft Cell PHANTOM PANDA Red Dev 4

Target Countries 5

Countries highlighted in red

Burkina Faso Canada Slovakia United States South Africa

Sectors Targeted

Truck Transportation 484 Public Relations Agencies 54182 Employment Placement Agencies and Executive Search Services 56131 National Security and International Affairs 928110 Food Services and Drinking Places 722 Data Processing, Hosting, and Related Services 51821 Telecommunications 517 Computer Systems Design and Related Services 54151 Oil and Gas Extraction 211

Details

Origin 🇨🇳 CN

Last Updated 01 Jun 2022

Malware Families 5

sorgu

unidentified_075

zhmimikatz

NewCore

darkstrat

MITRE ATT&CK 57

T1003 T1003.001 T1003.002 T1005 T1016 T1018 T1021 T1027 T1027.002 T1027.005 T1033 T1036 T1036.003 T1041 T1047 T1049 T1053 T1053.005 T1055 T1059 T1059.001 T1059.003 T1069 T1071 T1071.001 T1074 T1074.001 T1078 T1078.001 T1090 T1090.002 T1105 T1106 T1133 T1134 T1136 T1136.002 T1140 T1190 T1199 T1505 T1505.003 T1547 T1550 T1550.002 T1553 T1553.002 T1560 T1560.001 T1566.001 T1570 T1574 T1574.001 T1583 T1583.004 T1588 T1588.002

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 5 entries

Gallium Microsoft

Phantom Panda CrowdStrike

Granite Typhoon Microsoft

Alloy Taurus Palo Alto

G0093 MITRE

Description

(Microsoft) To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points. This activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.

Tools Used 20

BlackMould China Chopper Cobalt Strike Gh0stCringe RAT HTran LaZagne Mimikatz nbtscan netcat PingPull Plink Poison Ivy PsExec QuarkBandit QuasarRAT Reshell SoftEther VPN Sword2033 Windows Credentials Editor WinRAR

Operations 3

2021-09 Chinese Alloy Taurus Updates PingPull Malware https://unit42.paloaltonetworks.com/alloy-taurus/

2022 Early Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/

2022-06 GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool https://unit42.paloaltonetworks.com/pingpull-gallium/

Reports & References 1

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

ETDA Profile

Gallium

Origin

China

First Seen 2018

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0093/

View on ETDA APT Groups ↗