Microsoft says it has uncovered and disabled the OneDrive infrastructure of a Lebanon-based threat actor targeting organizations in Israel.
Based on victimology and tool and techniques overlaps, the previously-undocumented group, which is tracked by the tech giant as Polonium, appears to be collaborating with adversaries affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
According to Microsoft, such collaborations are not surprising, given that the government of Iran has been observed for roughly two years employing third parties to carry out its cyberoperations.
Over the past three months, Polonium has been observed conducting attacks against over 20 organizations based in Israel, as well as against one intergovernmental organization that operates in Lebanon.
Targeted sectors include critical manufacturing, defense industrial base, food and agriculture, financial systems, government agencies, healthcare and public health, IT, transportation systems, and more.
In one case, Polonium compromised a cloud services provider and used it in a supply chain attack against an aviation company and a law firm. Furthermore, many of the targeted critical manufacturing firms work with Israel’s defense industry, Microsoft says.
The tech giant has observed the threat actor creating and using OneDrive accounts for command and control (C&C) in its attacks, and says that Polonium has been deploying custom implants that abuse cloud services such as OneDrive and Dropbox.
Microsoft also explains that the threat actor did not store malware on the identified OneDrive accounts, and that the observed implants would interact with the service the same way legitimate applications do.
Dubbed CreepyDrive, one of the observed implants supports file upload and download but does not feature a persistence mechanism. However, its logic is “wrapped in a while true loop, ensuring continuous execution of the implant,” Microsoft says.
The implant does not feature a victim identifier either, which suggests that the threat actor may employ a different OneDrive account as C&C for each victim.
Polonium has also been observed using a custom PowerShell implant dubbed CreepySnail, as well as a common SSH tool that supports interactive sign-ins.
Microsoft says that, while it has yet to identify the initial infection vector employed by Polonium, most of the identified victims were running Fortinet appliances, which suggests that the threat actor might have exploited the CVE-2018-13379 vulnerability for compromise.
Potential collaboration with Iran-based threat actors, Microsoft says, is suggested by victim overlaps (including the targeting of MuddyWater victims) – the uniqueness of victims suggests MOIS may have provided Polonium with access to compromised networks –, the use of OneDrive as C&C (similar to Lyceum), and the use of AirVPN for operational activity (also employed by CopyKittens).