ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Gallium

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Gallium

NamesGallium (Microsoft)
Phantom Panda (CrowdStrike)
Granite Typhoon (Microsoft)
Alloy Taurus (Palo Alto)
CountryChina China
MotivationInformation theft and espionage
First seen2018
Description(Microsoft) To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.

This activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.
ObservedSectors: Financial, Government, Telecommunications.
Tools usedBlackMould, China Chopper, Cobalt Strike, Gh0stCringe RAT, HTran, LaZagne, Mimikatz, nbtscan, netcat, PingPull, Plink, Poison Ivy, PsExec, QuarkBandit, QuasarRAT, Reshell, SoftEther VPN, Sword2033, Windows Credentials Editor, WinRAR.
Operations performedSep 2021Chinese Alloy Taurus Updates PingPull Malware
<https://unit42.paloaltonetworks.com/alloy-taurus/>
Early 2022Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
<https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/>
Jun 2022GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool
<https://unit42.paloaltonetworks.com/pingpull-gallium/>
Information<https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0093/>

Last change to this card: 12 October 2023

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]