Introduction
POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling. Microsoft POLONIUM June 2022
Activities and Tactics
Targeted Sectors: Critical manufacturing, Defense industrial base, Financial services, Food and agriculture, Government agencies and services, Healthcare, Pharmaceuticals, Information technology, Transportation systems, NGOs, Civil Society, Military, Defense
Country of Origin: 🏳️ Lebanon
Risk Level: Critical
Incident Type: Espionage
Suspected Victims: Israel
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1567.002 Exfiltration to Cloud Storage
- T1102.002 Bidirectional Communication
- T1090 Proxy
- T1588.002 Tool
- T1199 Trusted Relationship
- T1583.006 Web Services
- T1078 Valid Accounts
ATT&CK technique IDs (denormalized)
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate:
- Cyber Eye RAT:
- Archelaus Beta:
MITRE ATT&CK Software
Attribution and Evidence
Country of Origin: Lebanon Additional attribution information pending cataloguing.
References
[1] mitre-attack [3] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [4] Microsoft POLONIUM June 2022 Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.