Names | Gallium (Microsoft) | |
Country | ![]() | |
Motivation | Information theft and espionage | |
First seen | 2018 | |
Description | (Microsoft) To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points. This activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed. | |
Observed | Sectors: Telecommunications. | |
Tools used | BlackMould, China Chopper, HTran, nbtscan, netcat, Mimikatz, Poison Ivy, PsExec, QuarkBandit, SoftEther VPN, Windows Credentials Editor, WinRAR. | |
Information | <https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/> |
Last change to this card: 14 April 2020
Digital Service Security Center Follow us on![]() ![]() |
Report incidents |
|
![]() |
+66 (0)2-123-1227 | |
![]() |
[email protected] |