Gallium is a highly sophisticated and elusive adversary that has been active since at least 2012. Its geographic and sectoral focus, combined with the use of Tactics, Techniques, and Procedures (TTPs) associated with known Chinese adversaries, has led to the conclusion that Gallium is likely a Chinese state-sponsored group.
Gallium is known for targeting unpatched internet-facing services using publicly available exploits. Its intrusion chains commonly employ tools such as the web shell China Chopper, the Remote Access Trojan (RAT) known as PoisonIvy, and the credential-stealing tool Mimikatz, which the adversary uses to obtain credentials that allow it to move laterally across the network.
This adversary focuses on intelligence gathering, with emphasis on the theft of sensitive information, intellectual property, and classified data against high-value entities, including government agencies, defense contractors, research institutions, and diplomatic entities, with a particular interest in the telecommunications sector.
Gallium is strongly associated with the Chinese state-sponsored adversary known as APT41, which is known to conduct espionage activities targeting multiple sectors with wide geographic coverage, including telecommunications providers.
This connection was suggested given the use of tools that share code similarities and the common use of the same code signing certificate that has also been used by APT41 in the past. The overlap of valid digitally signed certificates is a common occurrence among adversaries of Chinese origin.
AttackIQ has released a content bundle consisting of two new attack graphs that seek to emulate the operations carried out by the Chinese-based adversary Gallium against the Telecommunications sector in recent years.
Validating your security program performance against these behaviors is vital to reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate the performance of security controls against an highly elusive, sector-focused long-standing adversary.
- Assess your security posture with respect to the Tactics, Techniques and Procedures (TTPs) that Gallium has successfully employed during two large-scale, high-impact operations.
- Continuously validate detection and prevention channels against a highly sophisticated and espionage motivated threat.
Gallium – 2019-06 – Operation Soft Cell
(Click for Larger)This attack graph emulates a series of advanced persistent attacks, reported by Cybereason in 2018, which were directed against global telecommunications providers. These activities, codenamed Operation Soft Cell, are suspected to have been active since at least 2012.
The primary objective of this attack was focused on obtaining CDR records from telecommunications providers, specifically focused on collecting data from high-value targets
(Click for Larger)The attack begins in the first stage with the delivery of a modified version of the China Chopper web shell, which the adversary was able to leverage to execute reconnaissance commands. During this stage, the adversary seeks to obtain and enumerate information regarding the compromised machine such as active users, network configuration, and connections.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.
System Owner / User Discovery (T1033): Live off the land by running whoami and users to gain details about the currently available accounts and permission groups.
System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig, arp, route, and nltest.
System Network Connections Discovery (T1049): The native Windows command line tool netstat is used to collect active connections and any listening services running on the host.
(Click for Larger)After the reconnaissance phase, the adversary attempted to obtain credentials from the compromised system. First, it used a modified version of Mimikatz in order to access NTLM hashes. Subsequently, it dumped the Security Account Manager (SAM) database from the registry, which contains local accounts and password hashes.
Once the credentials were obtained and the network mapped, the adversary began to move laterally, relying on Windows Management Instrumentation (WMI) to install their tools across multiple assets.
OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts.
OS Credential Dumping: Security Account Manager (T1003.002): The built-in reg save command is executed to dump the Windows SAM hive.
Create Account: Local Account (T1136.001): This scenario creates a new account using net user.
Windows Management Instrumentation (T1047): This scenario uses wmic commands to execute commands on a remote target.
(Click for Larger)In the third stage, in order to maintain a long-term foothold and steal data, the adversary deployed PoisonIvy, which is executed through the DLL Side-Loading technique. Once operational, PoisonIvy achieves persistence by creating a rogue scheduled task.
DLL Side-Loading (T1574.002): A legitimate executable is executed that loads a DLL file stored in the same directory that has been replaced with an AttackIQ DLL file.
Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks utility.
(Click for Larger)Once persistence is established, PoisonIvy will perform the task of collecting additional information on the compromised systems for subsequent exfiltration. Tasks carried out by this payload include querying the registry, enumerating running processes, collecting screenshots and keystrokes, and discovering network connectivity.
Query Registry (T1012): The HKCU\Software\Microsoft\Windows\CurrentVersion registry key contains information about Windows properties for the user accessing that registry key.
Process Discovery (T1057): Window’s built-in tasklist command is executed as a command process and the results are saved to a file in a temporary location.
Internet Connection Discovery (T1016.001): The actors used ping to Google’s 8.8.8.8 DNS server to verify if they could connect to the internet. Also, this scenario uses nslookup to query an external domain using Google’s DNS (8.8.8.8).
Data Staged: Local Data Staging (T1074.001): Files are collected and stored in a temporary directory so they can be exfiltrated later.
Exfiltration Over C2 Channel (T1041): This scenario exfiltrates a pre-generated text file containing the output from a series of discovery commands executed by a threat actor. The file is exfiltrated using an HTTP POST request to an AttackIQ controlled test server.
Gallium – 2023-01 – Operation Tainted Love
(Click for Larger)This attack graph emulates a series of attacks targeting telecommunications providers located in the Middle East by compromising Internet-connected Microsoft Exchange servers with the goal of deploying web shells. This activity, reported by SentinelLabs in March 2023, points to an evolution of the tools associated with Operation Soft Cell.
The telecommunications sector is commonly a target of espionage activities due to the sensitive data it harbors on high-profile targets.
(Click for Larger)During the first stage of the attack, after achieving initial access, the adversary focuses on the discovery and collection of relevant information related to the compromised system. This stage is carried out by executing commands through the webshell deployed via the access vector.
Basic system information is collected, such as active users, network configuration, connections established with other systems, and connectivity verification. This information is then staged, in preparation for exfiltration as profiling data via HTTP requests.
Account Discovery: Local Account (T1087.001): The native net user command is executed to get a list of local accounts.
(Click for Larger)In the second and final stage of this attack, the adversary seeks to steal credentials by using modified versions of the Mimikatz tool. The chain used by the adversary, known as “mim221”, has the final objective of obtaining credentials from the Local Security Authority Subsystem Service (LSASS) process and ends with the exfiltration of the process contained in a compressed zip file over HTTP requests.
Reflective DLL Injection (T1620): This scenario takes a default AttackIQ DLL and loads it into the memory space of its own process in order to execute the desired DLL function.
Access Token Manipulation: Token Impersonation/Theft (T1134.001): This scenario lists and duplicates the Access Tokens of the processes running within the target system and allows executing arbitrary commands impersonating any of those users.
Process Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary file can be created.
OS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating a minidump of the lsass.exe process. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors. Mimikatz is then used to dump the credentials from that minidump file.
Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): This scenario compresses a LSASS minidump file and exfiltrates it in un-encrypted HTTP traffic to an external server.
Detection and Mitigation Opportunities
With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. OS Credential Dumping: LSASS Memory (001) and OS Credential Dumping: Security Account Manager (T1003.002)
Gallium as well as other adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process, or from the Security Account Manager (SAM) database.
1a. Detection
Search for executions of procdump that attempt to access the LSASS process.
Process Name == (procdump)
Command Line CONTAINS (‘lsass’)
Search for executions of reg.exe attempting to save the SAM registry hive.
Process Name == (reg.exe)
Command Line CONTAINS (‘reg save hklm\sam C:\WINDOWS\TEMP\sam’)
1b. Mitigation
MITRE ATT&CK recommends the following mitigation recommendations:
- M1028 – Operating System Configuration
- M1027 – Password Policies
- M1026 – Privileged Account Management
- M1017 – User Training
- M1040 – Behavior Prevention on Endpoint
- M1043 – Credential Access Protection
- M1025 – Privileged Process Integrity
2. Process Injection (T1055) and Hijack Execution Flow: DLL Side-Loading (002)
Malware will commonly inject malicious code or use side-loading to load malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.
2a. Detection
Searching for common processes that are performing uncommon actions can help identify when a process has been compromised. Searching for newly constructed processes or monitoring for DLL/PE file events, specifically for the creation and loading of DLLs into running processes can help identify when a system process has been compromised.
2b. Mitigation
MITRE ATT&CK recommends the following mitigation recommendations:
- M1040 – Behavior Prevention on Endpoint
- M1026 – Privileged Account Management
- M1013 – Application Developer Guidance
- M1051 – Update Software
Wrap-up
In summary, these attack graphs will evaluate security and incident response processes and support the improvement of your security control posture against a very elusive adversary with a specific focus on the telecommunications sector. With data generated from continuous testing and use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.
