Lebanese group uses Microsoft OneDrive to attack Israeli defense orgs
Lebanon-based threat actor, likely coordinating its attacks with Iran, has been targeting Israeli defense and critical manufacturing organizations.
The group that the Microsoft Threat Intelligence Center (MSTIC) tracks as Polonium has also targeted informational technologies, transportation systems, government agencies, food and agriculture, and healthcare, among other industries.
Microsoft said that Polonium’s tactic follows an increasing trend by many actors, including several Iranian groups, of targeting service provider access to gain downstream access.
“In at least one case, POLONIUM’s compromise of an IT company was used to target a downstream aviation company and law firm in a supply chain attack that relied on service provider credentials to access the targeted networks,” the blog reads.
The threat actor has targeted or compromised more than 20 organizations in Israel and one intergovernmental organization with operations in Lebanon over the past three months.
Microsoft observed Polonium utilizing legitimate OneDrive accounts as command and control (C2) to execute part of their attack operation. The company noted that this does not indicate any security issues on the OneDrive platform.
MSTIC “assesses with high confidence” that Polonium is based in Lebanon and coordinating with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
Such collaboration or direction from Tehran would align with a string of revelations since late 2020 that the Government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran’s plausible deniability,Microsoft said.
MSTIC has observed Polonium targeting multiple victims that Mercury (or Muddy Watter,) associated with MOIS, has previously compromised.
“The uniqueness of the victim organizations suggests a convergence of mission requirements with MOIS. It may also be evidence of a ‘hand-off’ operational model where MOIS provides Polonium with access to previously compromised victim environments to execute new activity.”
Polonium, as well as Lyceum, recently observed targeting the Middle East, has been observed using cloud services for data exfiltration and command and control.
What is more, both Polonium and CopyKittens, an Iranian cyber espionage group, commonly use AirVPN for operational activity.
“While use of public VPN services is common across many actor sets, these actors’ specific choice to use AirVPN, combined with the additional overlaps documented above, further supports the moderate confidence assessment that POLONIUM collaborates with MOIS,” Microsoft said.
More from Cybernews:
Subscribe to our newsletter