G0093 · 31 ATT&CK techniques · 0 correlated reports

GALLIUM

Aliases: Granite Typhoon

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers. Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.

Open interactive actor investigation

ATT&CK techniques

T1059.003
Windows Command Shell T1003.002
Security Account Manager T1078
Valid Accounts T1053.005
Scheduled Task T1027
Obfuscated Files or Information T1553.002
Code Signing T1041
Exfiltration Over C2 Channel T1005
Data from Local System T1574.002
DLL Side-Loading T1588.002
Tool T1047
Windows Management Instrumentation T1136.002
Domain Account T1583.004
Server T1133
External Remote Services T1027.002
Software Packing T1505.003
Web Shell T1003.001
LSASS Memory T1560.001
Archive via Utility T1059.001
PowerShell T1570
Lateral Tool Transfer T1027.005
Indicator Removal from Tools T1090.002
External Proxy T1049
System Network Connections Discovery T1074.001
Local Data Staging T1033
System Owner/User Discovery T1190
Exploit Public-Facing Application T1016
System Network Configuration Discovery T1105
Ingress Tool Transfer T1018
Remote System Discovery T1550.002
Pass the Hash T1036.003
Rename System Utilities

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research