Security Experts:

Connect with us

Hi, what are you looking for?



Lebanese Threat Actor ‘Polonium’ Targets Israeli Organizations

Microsoft says it has uncovered and disabled the OneDrive infrastructure of a Lebanon-based threat actor targeting organizations in Israel.

Microsoft says it has uncovered and disabled the OneDrive infrastructure of a Lebanon-based threat actor targeting organizations in Israel.

Based on victimology and tool and techniques overlaps, the previously-undocumented group, which is tracked by the tech giant as Polonium, appears to be collaborating with adversaries affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

According to Microsoft, such collaborations are not surprising, given that the government of Iran has been observed for roughly two years employing third parties to carry out its cyberoperations.

Over the past three months, Polonium has been observed conducting attacks against over 20 organizations based in Israel, as well as against one intergovernmental organization that operates in Lebanon.

Targeted sectors include critical manufacturing, defense industrial base, food and agriculture, financial systems, government agencies, healthcare and public health, IT, transportation systems, and more.

In one case, Polonium compromised a cloud services provider and used it in a supply chain attack against an aviation company and a law firm. Furthermore, many of the targeted critical manufacturing firms work with Israel’s defense industry, Microsoft says.

The tech giant has observed the threat actor creating and using OneDrive accounts for command and control (C&C) in its attacks, and says that Polonium has been deploying custom implants that abuse cloud services such as OneDrive and Dropbox.

Microsoft also explains that the threat actor did not store malware on the identified OneDrive accounts, and that the observed implants would interact with the service the same way legitimate applications do.

Dubbed CreepyDrive, one of the observed implants supports file upload and download but does not feature a persistence mechanism. However, its logic is “wrapped in a while true loop, ensuring continuous execution of the implant,” Microsoft says.

The implant does not feature a victim identifier either, which suggests that the threat actor may employ a different OneDrive account as C&C for each victim.

Polonium has also been observed using a custom PowerShell implant dubbed CreepySnail, as well as a common SSH tool that supports interactive sign-ins.

Microsoft says that, while it has yet to identify the initial infection vector employed by Polonium, most of the identified victims were running Fortinet appliances, which suggests that the threat actor might have exploited the CVE-2018-13379 vulnerability for compromise.

Potential collaboration with Iran-based threat actors, Microsoft says, is suggested by victim overlaps (including the targeting of MuddyWater victims) – the uniqueness of victims suggests MOIS may have provided Polonium with access to compromised networks –, the use of OneDrive as C&C (similar to Lyceum), and the use of AirVPN for operational activity (also employed by CopyKittens).

Related: Elusive Lebanese Threat Actor Compromised Hundreds of Servers

Related: Threat Actor Targets Middle East With DNS Redirections

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.