In June this year, Cybereason published a blog post on Operation Soft Cell, a targeted attack against telecom providers around the world. The actors behind the operation are particularly interested in Call Detail Records (CDR) for specific high-value users, which give them valuable metadata on their communication and location. Prior to publishing their blog post, Cybereason researchers Mor Levi, Amit Serper and Assaf Dahan had submitted their research to VB2019 – and in October, they delivered their paper in London.
Based on the TTPs, which include the use of the Poison Ivy RAT and the China Copper web shell, Cybereason had concluded that the actors were likely Chinese. In a blog post published this week, Microsoft raises awareness for this actor, which it labels ‘GALLIUM’.