Microsoft said on Thursday it detected and disabled attacks targeting OneDrive from a Lebanon-based group, the company named Polonium.
The tech giant said the incidents were part of a larger wave of attacks launched by Polonium against organizations based in Israel.
The Microsoft Threat Intelligence Center (MSTIC) said it determined “with moderate confidence” that the group was coordinating its efforts with hackers affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
“To further combat this abuse, Microsoft has suspended more than 20 malicious OneDrive apps created by Polonium actors, notified affected organizations, and rolled out a series of security intelligence updates that will quarantine operator-developed tools. of Polonium”, MSTIC explained in a blog post.
“Our goal with this blog is to help deter future activity by exposing and sharing POLONIUM tactics with the community at large.”
The MSTIC said it was willing to publicly link the attacks to groups linked to Lebanon and Iran based “primarily on the overlap of victims and the community of tools and techniques”. The company claimed the attacks had been going on since 2020 and were part of a trend where Iran was using third-party groups to carry out cyberattacks so they could plausibly deny responsibility.
More than 20 organizations based in Israel and one intergovernmental organization based in Lebanon have been attacked by polonium in the past three months.
MSTIC noted that the group “has deployed unique tools that abuse legitimate cloud services for command and control (C2) on most of their victims.”
“Polonium was observed creating and using legitimate OneDrive accounts and then using those accounts as C2 to execute part of their attack operation. This activity does not represent any security issue or vulnerability on the OneDrive platform,” the researchers explained, adding that they do not currently see any links between this activity and other groups linked to Lebanon.
Who is ‘Polonium’
Since February, Microsoft has seen several attacks launched by Polonium targeting Israeli companies involved in manufacturing, IT, transportation systems, the defense industrial base, government agencies and services, food and agriculture, financial services and health care.
One attack saw Polonium actors sue an IT company in an attempt to cripple a downstream airline and a law firm.
The group tends to specifically target service providers for the Israeli military, hoping the attacks will provide downstream access. Polonium players have been seen by MSTIC deploying custom implants that use cloud services – like OneDrive and Dropbox – for command and control as well as data exfiltration.
“While OneDrive performs virus scanning on all uploaded content, Polonium does not use the cloud service to host its malware. If malware was hosted on the OneDrive account, Microsoft Defender Antivirus detections would block it,” explained the tech giant.
“Instead, they interact with the cloud service the same way a legitimate customer would. OneDrive partners with MSTIC to identify and disable accounts tied to known adversary behavior.
The company added that it was still investigating how the group gained access to its victims, but noted that in about 80% of attacks, Microsoft saw victims using Fortinet appliances. While still unsure of the cause, Microsoft said it believes the group is likely exploiting CVE-2018-13379.