POLONIUM
POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.[1]
Associated Group Descriptions
| Name | Description |
|---|---|
| Plaid Rain |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | 代理 |
POLONIUM has used the AirVPN service for operational activity.[1] |
|
| Enterprise | T1199 | 信任关系 |
POLONIUM has used compromised credentials from an IT company to target downstream customers including a law firm and aviation company.[1] |
|
| Enterprise | T1078 | 有效账户 |
POLONIUM has used valid compromised credentials to gain access to victim environments.[1] |
|
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication | |
| Enterprise | T1583 | .006 | 获取基础设施: Web Services |
POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations.[1] |
| Enterprise | T1588 | .002 | 获取能力: Tool |
POLONIUM has obtained and used tools such as AirVPN and plink in their operations.[1] |
| Enterprise | T1567 | .002 | 通过网络服务渗出: Exfiltration to Cloud Storage |
POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts.[1] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S1023 | CreepyDrive | [1] | 从本地系统获取数据, 使用备用认证材料: Application Access Token, 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 文件和目录发现, 网络服务: Bidirectional Communication, 输入工具传输, 通过网络服务渗出: Exfiltration to Cloud Storage |
| S1024 | CreepySnail | [1] | 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 有效账户: Domain Accounts, 系统所有者/用户发现, 系统网络配置发现, 通过C2信道渗出 |