Skip to content

G1005 POLONIUM

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.1

Item Value
ID G1005
Associated Names
Version 1.0
Created 01 July 2022
Last Modified 10 August 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.006 Web Services POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations.1
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool POLONIUM has obtained and used tools such as AirVPN and plink in their operations.1
enterprise T1090 Proxy POLONIUM has used the AirVPN service for operational activity.1
enterprise T1199 Trusted Relationship POLONIUM has used compromised credentials from an IT company to target downstream customers including a law firm and aviation company.1
enterprise T1078 Valid Accounts POLONIUM has used valid compromised credentials to gain access to victim environments.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication POLONIUM has used OneDrive and DropBox for C2.1

Software

ID Name References Techniques
S1023 CreepyDrive 1 Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Data from Local System Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery Ingress Tool Transfer Application Access Token:Use Alternate Authentication Material Bidirectional Communication:Web Service
S1024 CreepySnail 1 Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Exfiltration Over C2 Channel System Network Configuration Discovery System Owner/User Discovery Domain Accounts:Valid Accounts

References