POLONIUM

Threat Actor updated 23 days ago (2024-11-29T14:04:42.381Z)
Download STIX
Preview STIX
Polonium is a threat actor group, believed to be based in Lebanon, that has been responsible for significant cyberattacks on Israel's operational technology (OT) and critical infrastructure. In December, Israel's National Cyber Directorate issued warnings that Polonium had targeted critical sectors such as water and energy. The group also extended its operations beyond Israeli companies to target foreign subsidiaries of these firms. For initial access, Polonium primarily exploited Fortinet devices using leaked VPN credentials or via the CVE-2018-13379 vulnerability, which was patched before the group's emergence. Microsoft has identified more than 20 malicious OneDrive applications created by Polonium actors and has taken steps to suspend these applications and notify affected organizations. The group has demonstrated a high level of activity and sophistication, deploying a modified version of CreepySnail and collaborating with extranational hackers. Polonium has not only spied on over 20 Israeli organizations across various sectors, including transportation, critical manufacturing, IT, finance, agriculture, and healthcare, but also used its compromise of an IT company to target a downstream aviation company and law firm in a supply chain attack. This attack relied on service provider credentials to gain access to the targeted networks, highlighting the group's advanced capabilities. Despite originating from a country with few APT groups, Polonium's activities should not be underestimated. The group's modus operandi has been characterized by relentless attacks on Israel, utilizing sophisticated techniques and tools. Microsoft's Threat Intelligence Center (MSTIC) assesses with high confidence that Polonium represents an operational group based in Lebanon. To mitigate the threat posed by this group, Microsoft has deployed a series of security intelligence updates to quarantine tools developed by Polonium operators.
Description last updated: 2024-05-04T20:59:08.186Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Vpn
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The CreepySnail Malware is associated with POLONIUM. CreepySnail is a malware that can infect a computer or device through suspicious downloads, emails or websites, and steal personal information or disrupt operations. CreepySnail utilizes Base64-encoded parameters to transmit information from the victim to the threat actor. It also uses static URI paUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2018-13379 Vulnerability is associated with POLONIUM. CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20Unspecified
2
Source Document References
Information about the POLONIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more