A hacking group with suspected ties to the Chinese government has been recently hitting government and other organizations in Asia, Europe, and Africa with malware that takes over the targeted computer, according to a cybersecurity research group.
The Gallium hacking group is an advanced and persistent threat group that uses identified Chinese malware and tactics, said Unit 42, the research arm of cybersecurity vendor Palo Alto Networks. The hacking group traditionally focused on telecommunications companies but has recently expanded its target list to include government agencies and financial institutions, the research group said.
White Unit 42 didn’t identify the U.S. government and businesses as Gallium targets, some cybersecurity experts raised concerns that the hacking group’s decision to expand its target list could eventually lead to attacks on U.S. organizations.
There’s not an impending threat to U.S. organizations, said Saryu Nayyar, CEO and founder of cybersecurity vendor Gurucul.
“However, Chinese threat actors often start out testing and refining their capabilities closer to home [or] against less secure infrastructures before executing more severe and ambitious campaigns against the U.S.,” she told the Washington Examiner. “So we definitely need to be on high alert.”
Unit 42 also identified the malware Gallium is using. PingPull is a remote access trojan that targets three internet protocols, including Internet Control Message Protocol, to gain access to victim computers. PingPull’s use of ICMP makes it difficult to detect its communications back to the hackers’ command-and-control infrastructure because “few organizations implement inspection of ICMP traffic on their networks,” Unit 42 said in a blog post.
Cybersecurity experts said Gallium, which has been active for about a decade, has historically focused on intelligence efforts, strengthening the suspicions that it has ties to the Chinese government.
The hacking group is “unique because it engages solely in what can be considered espionage operations,” said Sally Vincent, a senior threat analyst with LogRhythm, a cybersecurity vendor. “Their attacks are focused on obtaining data.”
One telecommunications provider had its call records and user data stolen during an attack attributed to Gallium, she noted.
“Gallium’s operations have resulted in the nearly complete takeovers of victim networks,” she told the Washington Examiner. “Gallium is truly persistent in gaining a foothold in networks and will try technique after technique until one works.”
While Gallium has focused on espionage during its attacks thus far, its techniques could be used for several other purposes, Nayyar added.
Gallium “has yet to introduce disruption as an end goal and focused on targeted spying,” she said. Gallium has operated similar to other state-sponsored hackers that “have often hijacked and disrupted critical infrastructure, which is easily done based on how they infiltrate networks and communicate back ‘home’ through encrypted or unmonitored connections.”
If Gallium is tied to the Chinese government, its identified targets make sense based on the “historical interests” of the country, added Austin Berglas, global head of professional services at BlueVoyant, a cybersecurity vendor.
“China has always had a wide range of espionage targets, always seeking to gain a political, social, and economic advantage over other countries,” he told the Washington Examiner.
Organizations should take Gallium seriously and familiarize themselves with its methods of attacks, some cybersecurity experts said.
Organizations at risk should monitor for PingPull indicators of compromise, Vincent recommended. Palo Alto Networks has listed those indicators in its recent threat report. Gallium has also used exploits on public-facing servers in the past, so “keeping web servers patched is a must,” she added.
In addition, companies should have up-to-date malware detection programs, use multifactor authentication, create a vulnerability management program, and implement proper email security, Berglas recommended. They should also train employees about phishing campaigns and about downloading malicious attachments.
“Companies should continue to practice and implement solid security hygiene practices,” he said.