POLONIUM

Polonium is a threat actor group, believed to be based in Lebanon, that has been responsible for significant cyberattacks on Israel's operational technology (OT) and critical infrastructure. In December, Israel's National Cyber Directorate issued warnings that Polonium had targeted critical sectors such as water and energy. The group also extended its operations beyond Israeli companies to target foreign subsidiaries of these firms. For initial access, Polonium primarily exploited Fortinet devices using leaked VPN credentials or via the CVE-2018-13379 vulnerability, which was patched before the group's emergence. Microsoft has identified more than 20 malicious OneDrive applications created by Polonium actors and has taken steps to suspend these applications and notify affected organizations. The group has demonstrated a high level of activity and sophistication, deploying a modified version of CreepySnail and collaborating with extranational hackers. Polonium has not only spied on over 20 Israeli organizations across various sectors, including transportation, critical manufacturing, IT, finance, agriculture, and healthcare, but also used its compromise of an IT company to target a downstream aviation company and law firm in a supply chain attack. This attack relied on service provider credentials to gain access to the targeted networks, highlighting the group's advanced capabilities. Despite originating from a country with few APT groups, Polonium's activities should not be underestimated. The group's modus operandi has been characterized by relentless attacks on Israel, utilizing sophisticated techniques and tools. Microsoft's Threat Intelligence Center (MSTIC) assesses with high confidence that Polonium represents an operational group based in Lebanon. To mitigate the threat posed by this group, Microsoft has deployed a series of security intelligence updates to quarantine tools developed by Polonium operators.