POLONIUM

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.[1]

ID: G1005
Version: 1.0
Created: 01 July 2022
Last Modified: 10 August 2022

Techniques Used

Domain ID Name Use
Enterprise T1583 .006 Acquire Infrastructure: Web Services

POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations.[1]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

POLONIUM has obtained and used tools such as AirVPN and plink in their operations.[1]

Enterprise T1090 Proxy

POLONIUM has used the AirVPN service for operational activity.[1]

Enterprise T1199 Trusted Relationship

POLONIUM has used compromised credentials from an IT company to target downstream customers including a law firm and aviation company.[1]

Enterprise T1078 Valid Accounts

POLONIUM has used valid compromised credentials to gain access to victim environments.[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

POLONIUM has used OneDrive and DropBox for C2.[1]

Software

References