Cyber Threat Actor: GALLIUM

The threat actor is known bymultiple aliases including Gallium, Softcell, UNC 2814/GALLIUM/SOFTCELL, UNSC 2814 and related variants. It is assessed to operate from China. Belgian authorities have publicly attributed its activities to a Chinese state‑linked advanced persistent threat group.

The group has been observed targeting government institutions in Belgium, specifically the defense and interior ministries. It also compromised a major telecommunications provider in Austria, A1 Telekom. These operations were assessed by Belgian officials as cyberespionage campaigns that undermined national sovereignty, democratic processes and security. Belgian authorities denounced the operations as violations of UN‑endorsed norms for responsible state behavior in cyberspace. Chinese officials rejected the allegations, calling them baseless and lacking evidence.

In the A1 Telekom incident the attackers first deployed malware to gain an initial foothold. After gaining access they manually expanded their presence within the network. They subsequently queried internal databases to map systems and gather information.

The July 2022 intrusion into Belgian federal ministries represents a prominent example of their activity. The November 2019 breach of A1 Telekom illustrates their capability against telecom infrastructure. Belgian officials called for enhanced information sharing and cooperation with European partners to improve cyber resilience against such threats. The Belgian government also urged Chinese authorities to prevent malicious cyber activity from originating within China’s territory.