Tainted Defenses: Emulating Gallium’s Operation Tainted Love

Though the band Soft Cell may be considered a one-hit wonder with their 1981 hit song “Tainted Love”, the same cannot be said for Gallium, a Chinese-based threat actor that has continued to wreak havoc in the Middle Eastern telecommunications sector for over a decade now. Their most recent cyberespionage campaign? Operation Tainted Love. Read More

While I begrudgingly tip my cap to Gallium’s bravado in naming their campaign, there’s nothing admirable about the threat they pose to organizations and the damage they can inflict to a wide range of entities – specifically those that deploy Microsoft Exchange servers. Spanning past telecommunications, Gallium’s targets include government agencies, critical infrastructure, individuals, and specific industries in attempts to steal sensitive data, intellectual property, and financial information.

What is Operation Tainted Love?

In March 2023, SentinelLabs reported the detection of the initial phases of an attack against telecommunications providers located in the Middle East. This wave of attacks starts by compromising internet-facing Microsoft Exchange servers with the aim of deploying web shells, and seeks to exploit vulnerabilities in organizations’ digital infrastructures, leaving a trail of compromised systems and sensitive data in its wake.

The operation involves a multi-pronged approach, combining advanced malware deployment, social engineering tactics, and a keen understanding of the target’s weaknesses. During this activity, the responsible party made use of a multi-component credential theft malware that is based on a series of Mimikatz modifications on closed-source tooling. Gallium’s footprint can be traced back to 2012 under the campaign “Operation Soft Cell”, so while their espionage expertise has continued to evolve, it’s clear that their music taste has not.

Flex Your Muscles and Thwart Gallium’s Tease

Soft Cell’s poignant lyrics – “Don’t touch me, please, I cannot stand the way you tease,” mirror both the wicked flair of Gallium’s advances but also the urgency organizations must adopt to break free from the adversary group’s grasp and traditional notions of defense and in instead embrace a proactive, adaptive stance. Just as the song highlights the need to “run away”, this is exactly what Gallium hopes organizations do.

Instead, AttackIQ and our Flex package takes an alternate approach and embraces Gallium’s nefarious behaviors head-on using attack graphs – strategically emulating Gallium’s tactics to help organizations expose and rectify weaknesses before they can be exploited and ultimately build a threat-informed defense. Just as the song’s chorus laments a love gone wrong, security teams need to recognize the flaws in their existing strategies and embrace a new paradigm of cybersecurity – one that can be found with AttackIQ through continuous control testing and scenario emulations.

Emulate the Campaign with Attack Graphs

AttackIQ’s attack graph begins immediately after the initial access. During the first stage, by executing commands through the web shell deployed through the access vector, the adversary focuses on the discovery and collection of relevant information related to the compromised system. Then, in the final stage, the adversary aims to steal credentials through the use of a multi-component credential-stealing malware known as “mim221”. This tool ultimately aims to obtain credentials from the Local Security Authority Subsystem Service (LSASS) process and ends with the exfiltration of the process contained in a compressed zip file via HTTP requests.

Scenarios included in this Package:

  • Dump LSASS Process to Minidump File
  • Data Staged Script
  • Exfiltrate LSASS Memory Dump Over HTTP
  • Account Discovery using “net.exe” command
  • System Owner/User Discovery Script
  • Code Injection via Load Library and Create Remote Thread
  • Internet Connection Discovery via ping to 8.8.8.8
  • System Network Connections Discovery
  • Save 2023-01 getHashFlsa64.exe Sample to File System
  • Download 2023-03 pc.exe Sample to Memory
  • Exfiltrate Text File Containing Windows System Profiling Data via HTTP to Test Server
  • Save 2023-03 pc.exe Sample to File System
  • System Network Configuration Discovery through Windows Command Line
  • Access Token Manipulation
  • Reflective DLL Injection

Conclusion

By leveraging AttackIQ’s emulation capabilities, organizations can pivot from reactive to preactive defense, fortifying their cybersecurity strategies against Gallium’s malevolent advances. The amalgamation of music-inspired threat campaigns and innovative cybersecurity solutions heralds a new era of defense – one that learns from adversaries, anticipates their moves, and orchestrates a resilient defense, breaking free from the taunting grip of threats like Gallium’s “Operation Tainted Love.”