Researchers Warn of GALLIUM Threat Group Attacks on Telecom Providers

• Researchers are warning about malicious activity by a threat group dubbed ‘GALLIUM’.
• This ongoing campaign is said to be targeting telecommunication providers across the world.

An overview

This attack group is said to be initially documented by researchers at Cybereason.

• The GALLIUM group is believed to be active since at least 2012 and launched attacks that stole data from Active Directory and compromise other types of data including personally identifiable information, financial records, geolocations, and more.
• Between 2018 and mid-2019, security researchers observed that most of the group’s activity happened. In this time, the group primarily targeted telecommunication providers.

The threat group’s operation

Based on a number of assessments, it was deduced that this threat group potentially uses open-source research and network scanning tools to find victims. The group usually compromises unpatched web services and then installs tools and introduces malware for performing malicious activities.

“MSTIC investigations indicate that GALLIUM modifies its tooling to the extent it evades antimalware detections rather than develop custom functionality. This behavior has been observed with GALLIUM actors across several operational areas,” say researchers.

What is the current scenario?

Researchers at the Microsoft Threat Intelligence Center (MSTIC) are warning of ongoing activity by the GALLIUM threat group targeting telecom providers. They recommend active defenses to prevent the successful execution of the attacks.

Suggested defenses

The security experts who analyzed the threat have recommended a few defenses that organizations can adopt.

• Always enable Muti-Factor Authentication for all accounts that you may use.
• Ensure that your systems and software are running on the latest versions available.
• Implement behavior detection solutions to identify signs of a potential breach.
• Make sure that web services are running on minimum permissions.

You can find the entire list of recommendations along with the Indicators of Compromise (IOCs) and detailed analysis of the threat group in the Microsoft blog post.