Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Lebanese Threat Actor ‘Polonium’ Targets Israeli Organizations

Microsoft says it has uncovered and disabled the OneDrive infrastructure of a Lebanon-based threat actor targeting organizations in Israel.

Microsoft says it has uncovered and disabled the OneDrive infrastructure of a Lebanon-based threat actor targeting organizations in Israel.

Based on victimology and tool and techniques overlaps, the previously-undocumented group, which is tracked by the tech giant as Polonium, appears to be collaborating with adversaries affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

According to Microsoft, such collaborations are not surprising, given that the government of Iran has been observed for roughly two years employing third parties to carry out its cyberoperations.

Over the past three months, Polonium has been observed conducting attacks against over 20 organizations based in Israel, as well as against one intergovernmental organization that operates in Lebanon.

Targeted sectors include critical manufacturing, defense industrial base, food and agriculture, financial systems, government agencies, healthcare and public health, IT, transportation systems, and more.

In one case, Polonium compromised a cloud services provider and used it in a supply chain attack against an aviation company and a law firm. Furthermore, many of the targeted critical manufacturing firms work with Israel’s defense industry, Microsoft says.

The tech giant has observed the threat actor creating and using OneDrive accounts for command and control (C&C) in its attacks, and says that Polonium has been deploying custom implants that abuse cloud services such as OneDrive and Dropbox.

Microsoft also explains that the threat actor did not store malware on the identified OneDrive accounts, and that the observed implants would interact with the service the same way legitimate applications do.

Dubbed CreepyDrive, one of the observed implants supports file upload and download but does not feature a persistence mechanism. However, its logic is “wrapped in a while true loop, ensuring continuous execution of the implant,” Microsoft says.

The implant does not feature a victim identifier either, which suggests that the threat actor may employ a different OneDrive account as C&C for each victim.

Polonium has also been observed using a custom PowerShell implant dubbed CreepySnail, as well as a common SSH tool that supports interactive sign-ins.

Microsoft says that, while it has yet to identify the initial infection vector employed by Polonium, most of the identified victims were running Fortinet appliances, which suggests that the threat actor might have exploited the CVE-2018-13379 vulnerability for compromise.

Potential collaboration with Iran-based threat actors, Microsoft says, is suggested by victim overlaps (including the targeting of MuddyWater victims) – the uniqueness of victims suggests MOIS may have provided Polonium with access to compromised networks –, the use of OneDrive as C&C (similar to Lyceum), and the use of AirVPN for operational activity (also employed by CopyKittens).

Related: Elusive Lebanese Threat Actor Compromised Hundreds of Servers

Related: Threat Actor Targets Middle East With DNS Redirections

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet