← threatfilter.dev / all groups / GALLIUM
GALLIUM
Also known as: Granite Typhoon
Overview
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers. Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 5 attributed custom malware families
TTPs — 31 techniques across 12 tactics
Initial Access
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell
Persistence
-
T1133External Remote Services -
T1136.002Domain Account -
T1505.003Web Shell
Stealth
-
T1027Obfuscated Files or Information -
T1027.002Software Packing -
T1027.005Indicator Removal from Tools -
T1036.003Rename Legitimate Utilities -
T1078Valid Accounts -
T1574.001DLL
Defense Impairment
-
T1553.002Code Signing
Credential Access
-
T1003.001LSASS Memory -
T1003.002Security Account Manager
Discovery
Lateral Movement
-
T1550.002Pass the Hash -
T1570Lateral Tool Transfer
Collection
-
T1005Data from Local System -
T1074.001Local Data Staging -
T1560.001Archive via Utility
Command and Control
-
T1090.002External Proxy -
T1105Ingress Tool Transfer
Exfiltration
Tools & malware (16)
ipconfig · Ping · cmd · China Chopper · PoisonIvy · at · PlugX · PingPull · BlackMould · Mimikatz · Net · Reg · PsExec · HTRAN · NBTscan · Windows Credential Editor