Threat Actor Profile
High APT
Description

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.(Citation: Cybereason Soft Cell June 2019) Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)

Confidence Score
90%
Known Aliases
GALLIUM Granite Typhoon
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (31)
T1005 - Data from Local System
Collection
T1074.001 - Local Data Staging
Collection
T1560.001 - Archive via Utility
Collection
T1090.002 - External Proxy
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1003.002 - Security Account Manager
Credential Access
T1027 - Obfuscated Files or Information
Defense Evasion
T1027.002 - Software Packing
Defense Evasion
T1027.005 - Indicator Removal from Tools
Defense Evasion
T1036.003 - Rename Legitimate Utilities
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1550.002 - Pass the Hash
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1190 - Exploit Public-Facing Application
Initial Access
T1570 - Lateral Tool Transfer
Lateral Movement
T1133 - External Remote Services
Persistence
T1136.002 - Domain Account
Persistence
T1505.003 - Web Shell
Persistence
T1574.001 - DLL
Persistence
T1583.004 - Server
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['GALLIUM', 'Granite Typhoon'],
 'created': '2019-07-18T20:47:50.050Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[GALLIUM](https://attack.mitre.org/groups/G0093) is a '
                'cyberespionage group that has been active since at least '
                '2012, primarily targeting telecommunications companies, '
                'financial institutions, and government entities in '
                'Afghanistan, Australia, Belgium, Cambodia, Malaysia, '
                'Mozambique, the Philippines, Russia, and Vietnam. This group '
                'is particularly known for launching Operation Soft Cell, a '
                'long-term campaign targeting telecommunications '
                'providers.(Citation: Cybereason Soft Cell June 2019) Security '
                'researchers have identified '
                '[GALLIUM](https://attack.mitre.org/groups/G0093) as a likely '
                'Chinese state-sponsored group, based in part on tools used '
                'and TTPs commonly associated with Chinese threat '
                'actors.(Citation: Cybereason Soft Cell June 2019)(Citation: '
                'Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull '
                'Jun 2022)',
 'external_references': [{'external_id': 'G0093',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0093'},
                         {'description': '(Citation: Microsoft GALLIUM '
                                         'December 2019)',
                          'source_name': 'GALLIUM'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Granite Typhoon'},
                         {'description': 'Cybereason Nocturnus. (2019, June '
                                         '25). Operation Soft Cell: A '
                                         'Worldwide Campaign Against '
                                         'Telecommunications Providers. '
                                         'Retrieved July 18, 2019.',
                          'source_name': 'Cybereason Soft Cell June 2019',
                          'url': 'https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'MSTIC. (2019, December 12). GALLIUM: '
                                         'Targeting global telecom. Retrieved '
                                         'January 13, 2021.',
                          'source_name': 'Microsoft GALLIUM December 2019',
                          'url': 'https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/'},
                         {'description': 'Unit 42. (2022, June 13). GALLIUM '
                                         'Expands Targeting Across '
                                         'Telecommunications, Government and '
                                         'Finance Sectors With New PingPull '
                                         'Tool. Retrieved August 7, 2022.',
                          'source_name': 'Unit 42 PingPull Jun 2022',
                          'url': 'https://unit42.paloaltonetworks.com/pingpull-gallium/'}],
 'id': 'intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258',
 'modified': '2024-04-17T22:10:27.139Z',
 'name': 'GALLIUM',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Daniyal Naeem, BT Security',
                          'Cybereason Nocturnus, @nocturnus'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '4.0'}
Quick Actions
Related TTPs (31)
Data from Local System
Collection
Local Data Staging
Collection
Archive via Utility
Collection
External Proxy
Command and Control
Ingress Tool Transfer
Command and Control
View All 31 TTPs
Back to Threat Actors
Dashboard Home