Gallium and 2 Other Hacker Groups Target Major Telecom Companies

Gallium and 2 other hacking groups have been operating on behalf of the Chinese State by staging a series of attacks against five major telecommunications companies located in Southeast Asian countries. The attacks by Gallium and the others have been on-going since 2017.

“The goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers,” Cybereason’s Lior Rochberger, Tom Fakterman, Daniel Frank, and Assaf Dahan revealed in a technical analysis published last week.

Gallium and the other groups collectively make up a group named “DeadRinger”. Aside from Gallium (aka Soft Cell), the group is also made up of Naikon APT (aka APT30 or Lotus Panda), and TG-3390 (aka APT27 or Emissary Panda).

Gallium and Naikon attacks were first observed in Q4 2020, while TG-3390 was first reported attacking the telecom companies in 2017. The three espionage operations are believed to have continued until at least the middle of 2021.

Researchers noted that Gallium is “highly adaptive” and called out their diligent efforts to stay under the radar and maintain persistence on the infected endpoints, while simultaneously shifting tactics and updating their defensive measures to compromise and backdoor unpatched Microsoft Exchange email servers using the ProxyLogon exploits that came to light earlier this March.

“Each phase of the operation demonstrates the attackers’ adaptiveness in how they responded to various mitigation efforts, changing infrastructure, toolsets, and techniques while attempting to become more stealthy,” the researchers noted.

Naikon was found to leverage a backdoor named “Nebulae” and a keylogger named “EnrollLoger”. Nebulae has been used by the group in several separate attacks this year.

Regardless of the attack chain, a successful compromise triggered a sequence of steps, enabling the threat actors to perform network reconnaissance, credential theft, lateral movement, and data exfiltration.

TG-3390 has been active the longest in this campaign, and primarily used a custom .NET-based OWA (Outlook Web Access) backdoor, which is used to pilfer credentials of users logging into Microsoft OWA services, granting the attackers the ability to access the environment stealthily.

There is some overlap in the tools used between the groups, especially with generic tools such as Minikatz.

“At this point, there is not enough information to determine with certainty the nature of this overlap — namely, whether these clusters represent the work of three different threat actors working independently, or whether these clusters represent the work of three different teams operating on behalf of a single threat actor,” the researchers said.

“A second hypothesis is that there are two or more Chinese threat actors with different agendas/tasks that are aware of each other’s work and potentially even working in tandem.”

History and Methodology of Gallium

Note: This Analysis was based on research from Microsoft and reporting by DarkReading

In 2018, researchers identified an advanced, persistent attack targeting telecommunications providers and using techniques associated with Chinese-affiliated threat actors. Researchers report the attackers, believed to be active since 2012, was attempting to steal data stored in Active Directory, compromise credentials, and access personally identifiable information, billing data, call records, email servers, and users’ geolocations. This threat was later identified as Gallium.

The bulk of Gallium’s activity, which primarily targeted telecommunication providers, was observed throughout 2018 into mid-2019, researchers with the Microsoft Threat Intelligence Center (MSTIC) reported today. While the group is still an active threat, they say, its activity levels have fallen in comparison to what they saw earlier in their research.

To gain access into a target network, Gallium detects and exploits Internet-facing services. The group has been spotted exploiting unpatched Web services; for example, WildFly/JBoss, for which exploits are widely accessible. While it’s often tough to determine a group’s reconnaissance methods, MSTIC says Gallium’s targeting of Internet-facing services is a sign the group uses open-source research and network scanning tools to pinpoint its new targets.

“MSTIC investigations indicate that Gallium modifies its tooling to the extent it evades antimalware detection rather than develop custom functionality,” researchers write in a blog post. “This behavior has been observed with Gallium across several operational areas.”

Gallium’s commonly used tools include Mimikatz, NBTScan, Netcat, WinRAR, and Windows Credential Editor. The group mostly relies on compromised domain credentials to move across a network; once they have credentials, attackers use PsExec to move from host to host.

Researchers point out Gallium does little to hide its intent and often uses common versions of malware and publicly available toolkits with slight modifications. The group has used the Poison Ivy RAT, which is widely accessible, and QuarkBandit, an altered version of Gh0st RAT. Poison Ivy RAT, Gh0st RAT, and the China Chopper Web shell are the foundation of its toolkit.

Gallium mostly uses dynamic DNS subdomains for its C2 infrastructure. Analysis shows the group tends to favor low-cost, low-effort operations, as indicated by its use of dynamic DNS providers instead of registered domains. Its domains have been seen hosted on infrastructure in mainland China, Hong Kong SAR, and Taiwan. Observed IP addresses seem to be exclusive to this group, have minimal or no legitimate activity, and are used in several operations.