On Thursday the Microsoft Threat Intelligence Center (MSTIC) issued a report. It claims it proactively “identified and disabled” a Lebanon-based hacking group known as POLONIUM, believed to be working with Iranian intelligence.
The hacking group they tracked targeted or compromised more than 20 Israeli organizations l and one intergovernmental organization with operations in Lebanon. The activity took place over the last 3-months. And the activities appeared to focus on IT, critical manufacturing, and Israel’s defense industry.
Microsoft also posted details of a cloud services provider that “was used to target a downstream aviation company and law firm in a supply chain attack.”
POLONIUM same targets as Muddywater APT
POLONIUM operators also targeted multiple victims compromised by MuddyWater (aka SeedWorm/Temp.Zagros) a high-profile Advanced Persistent Threat (APT) actor sponsored by Iran.
The MuddyWater APT group was tracked by Microsoft as “Mercury”, which U.S. Cyber Command earlier this year linked to Iranian intelligence.
The hackers, known as POLONIUM, were previously unknown threat actors.
They initially created legitimate Microsoft OneDrive accounts. And then utilized those accounts as command and control (C2) to execute part of their attack operation.
According to the report, “POLONIUM has been observed deploying a series of custom implants that utilize cloud services for command and control as well as data exfiltration. MSTIC has observed implants connecting to POLONIUM-owned accounts in OneDrive and Dropbox.”
The threat actor did not exploit any security issues or vulnerabilities within OneDrive.
MSTIC determined with high confidence that the hacker group is based in Lebanon. And claims they are “moderately” confident that Polonium was collaborating with Iran’s Ministry of Intelligence and Security (MOIS).
“The uniqueness of the victim organizations suggests a convergence of mission requirements with MOIS,” according to the Microsoft report. “It may also be evidence of a ‘hand-off’ operational model where MOIS provides Polonium with access to previously compromised victim environments to execute new activity.”
Microsoft also claims it suspended more than 20 malicious OneDrive applications created by the new threat actors. And added that all affected organizations had been notified. And they had deployed a series of security intelligence updates that will quarantine tools developed by the Iranian-linked hackers.
Although MSTIC is still uncertain how the attackers gained initial access to their victims’ networks. And notes that at least 80% of compromised organizations were running Fortinet appliances. This “suggests but does not definitively prove” that the Polonium compromised the Fortinet using a three-year-old vulnerability identified as CVE-2018-13379.
A list of customer actions was included in the report. Customers who are experiencing a POLONIUM attack should adopt the security considerations.