G1005 POLONIUM
POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.1
| Item | Value |
|---|---|
| ID | G1005 |
| Associated Names | |
| Version | 1.0 |
| Created | 01 July 2022 |
| Last Modified | 10 August 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.006 | Web Services | POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations.1 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | POLONIUM has obtained and used tools such as AirVPN and plink in their operations.1 |
| enterprise | T1090 | Proxy | POLONIUM has used the AirVPN service for operational activity.1 |
| enterprise | T1199 | Trusted Relationship | POLONIUM has used compromised credentials from an IT company to target downstream customers including a law firm and aviation company.1 |
| enterprise | T1078 | Valid Accounts | POLONIUM has used valid compromised credentials to gain access to victim environments.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | POLONIUM has used OneDrive and DropBox for C2.1 |