Threat Groups

Gallium

1. Overview

Gallium is a cyber espionage group attributed to China, active since at least 2012. The group has been observed conducting highly targeted operations against telecommunications providers, government entities, and critical infrastructure, primarily in Asia and the Middle East, though European organisations—including those in the UK—have also been affected.

Gallium is considered a highly focused advanced persistent threat (APT), operating in alignment with Chinese strategic objectives, including the Belt and Road Initiative. It has shown particular interest in accessing telecommunications metadata, surveillance infrastructure, and the ability to conduct long-term network intrusion and intelligence collection.

2. Origin and Evolution

Gallium was first publicly disclosed by Microsoft and other threat intelligence researchers in 2019, although it had been operating covertly for many years before that. Its campaigns have been characterised by long dwell times, low detection rates, and the use of both custom and publicly available tools.

Over time, Gallium has refined its techniques, moving from traditional malware deployment toward credential abuse, web shell deployment, and living-off-the-land techniques. In 2023 and 2024, the group expanded its infrastructure, targeting critical infrastructure outside its traditional geographic footprint, including in Europe and Africa.

3. Tactics, Techniques, and Procedures (TTPs)

Gallium’s operations are highly focused and methodical. Its typical attack chain includes:

  • Initial access
    Exploitation of internet-facing services such as Microsoft Exchange, SharePoint, and VPN appliances (T1190). Gallium has also used spear-phishing and password spraying (T1078, T1110).
  • Credential theft
    Uses credential dumping tools such as Mimikatz and LSASS memory scraping (T1003), followed by lateral movement via PsExec, WMI, or RDP (T1021).
  • Persistence
    Establishes long-term access via web shells such as China Chopper and custom implants, sometimes embedding backdoors in IIS or Exchange services (T1505.003).
  • Data collection and exfiltration
    Focuses on collecting metadata, logs, and internal communications. Exfiltrates data over encrypted channels using secure FTP or custom tools (T1041).
  • Infrastructure
    Gallium uses infrastructure registered through privacy-protecting registrars, often with domain names designed to mimic legitimate organisations. The group cycles infrastructure regularly to avoid attribution and takedowns.

4. Targeting Profile

Gallium focuses on sectors that align with China’s strategic and geopolitical goals. These include:

  • Telecommunications and satellite communications providers
  • Government agencies in the Middle East, South Asia, and Europe
  • Critical infrastructure (water, energy, and logistics)
  • Academic and research institutions with links to national security or technology development
  • Defence contractors and military organisations

In the UK, telecommunications operators, critical infrastructure providers, and academic institutions involved in policy or technical research have been observed as targets.

5. Notable Campaigns and Victims

Gallium operates with a high degree of stealth, and many of its campaigns are not publicly disclosed. Confirmed or suspected activity includes:

  • Long-term infiltration of telecom providers in the Middle East to access call metadata and location tracking information
  • Access to government email servers in Southeast Asia and attempts to intercept diplomatic communications
  • Targeting of UK telecoms and research institutions linked to emerging technologies
  • Use of compromised servers to conduct surveillance and exfiltrate sensitive operational data without disrupting services

Unlike ransomware actors, Gallium does not extort its victims. Its operations are focused entirely on espionage, with minimal indicators of compromise until long after data has been exfiltrated.

6. Technical Indicators

Gallium’s operations are tailored per target, but known indicators include:

  • Use of China Chopper and other lightweight web shells
  • Deployment of custom backdoors and modified IIS modules
  • File paths and process names mimicking system processes
  • Outbound connections to command and control servers using HTTPS over port 443
  • Registry changes and scheduled tasks used for persistence

UK Cyber Defence Ltd maintains an updated set of IOCs, YARA rules, and defensive signatures for detection and response teams.

7. Defensive Measures and Recommendations

Organisations at risk of Gallium intrusion should take the following steps:

  • Patch all internet-facing services promptly, especially Exchange, VPNs, and IIS-based applications
  • Monitor for anomalous behaviour in web services and custom HTTP traffic
  • Enforce multi-factor authentication and monitor for credential reuse or privilege escalation
  • Review access logs regularly for long-standing sessions or unexplained service account use
  • Use endpoint detection and response (EDR) to detect living-off-the-land binaries and stealthy persistence mechanisms
  • Implement web application firewalls (WAF) and secure configuration baselines for IIS and other web-facing services

8. Attribution and Alliances

Gallium is widely believed to operate under the direction of China’s Ministry of State Security (MSS). It shares infrastructure and tradecraft with other Chinese APTs such as APT10 (Stone Panda), APT40, and Mustang Panda.

Public attribution has been made by Microsoft, Mandiant, and several national cyber security centres including those in the UK and US. Gallium is thought to work closely with other actors to support national surveillance and long-term access to regional infrastructure.

9. Conclusion

Gallium is a highly focused and stealthy cyber espionage group with a track record of successful intrusions into telecommunications, government, and critical infrastructure networks. Its operations align with Chinese strategic interests and pose a persistent threat to national resilience, data sovereignty, and geopolitical stability.

UK-based organisations in telecoms, infrastructure, research, and defence must remain vigilant against this actor. Effective defence requires continuous monitoring, proactive patching, and intelligence-led detection strategies.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 8 Views

you may also like

Stealth-State Actors: Silent Persistence, Slow Exfiltration, and Cloud-Based C2

An insights post exploring the stealthy methods of state-aligned threat actors, including Silent Ransom (Silk Typhoon), and how defenders can detect slow exfiltration and cloud-based command and control in enterprise environments.
Continuous Threat Exposure Management

Continuous Threat Exposure Management

In an era where cyber attacks are not a question of if but when, Continuous Threat Exposure Management has emerged as a crucial strategy for staying one step ahead. For IT directors and C-suite executives, CTEM offers a little easier sleep at night.
Open Source Security Tools

Open-Source Tools for SOC Analysts

PCI-DSS-4.0

PCI DSS 4.0: Significance for Retailers and the Value of SOC-as-a-Service

SOC as a Service

SOC365: The Backbone of SOC as a Service

UK Cyber Defence’s SOC365 is a cutting-edge Security Information and Event Management (SIEM) service platform that forms the backbone of the company’s SOC-as-a-service offering.
AI-Powered_SOC

What is SOC?

What is SOC? Understanding the Security Operations Centre for Modern UK Businesses

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence