Microsoft exposes and disables Polonium activity targeting Israeli organizations

Microsoft has exposed and disabled a Lebanon-based Polonium cyber activity targeting Israeli organizations.

According to Microsoft Threat Intelligence Center (MSTIC), the bad actors created 20 malicious OneDrive applications used to target organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.

Since February 2022, Microsoft has detected the Polonium activity. The tech giant recently disabled the malicious OneDrive apps and also deployed new intelligence updates that will quarantine any tools developed by Polonium actors.

Moreover, the Polonium activity used supply chain attack methods to gain access to even more valuable downstream organizations:

“In at least one case, POLONIUM’s compromise of an IT company was used to target a downstream aviation company and law firm in a supply chain attack that relied on service provider credentials to gain access to the targeted networks. Multiple manufacturing companies they targeted also serve Israel’s defense industry, indicating a POLONIUM tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access.”

The MSTIC also assessed with moderate confidence that Polonium has been coordinating with other actor groups with links to Iran’s Ministry of Intelligence and Security (MOIS).

To add, Polonium was observed “deploying a series of custom implants that utilize cloud services” (such as OneDrive and DropBox) for command and control as well as data exfiltration.

Some of the tools detected include multiple strains of CreepyDrive and CreepyBox malware.

Finally, MSTIC noted that “approximately 80% of the observed victims beaconing to graph.microsoft.com were running Fortinet appliances,” which they suggested (although does not prove) that Polonium may have exploited Fortinet vulnerability CVE-2018-13379 to gain access to victim organizations.

Iranian state-sponsored advanced persistent threat (APT) actors have been known to exploit these types of flaws, also one of the most commonly exploited vulnerabilities in 2021.

Related Articles