Microsoft recently announced that it has taken action to mitigate harmful activities linked to a previously unidentified hacker group known as Polonium. This group has been exploiting OneDrive for malicious purposes, prompting Microsoft to intervene.
In addition to terminating the accounts connected to this Lebanon-based group, the Microsoft Threat Intelligence Center (MSTIC) reported suspending over 20 malicious OneDrive applications designed by Polonium. Affected organizations have been duly notified about the breaches.
MSTIC assessed that the activities conducted by Polonium have shown coordination with other Iranian actors, primarily through victim overlap and shared methodologies. This assessment carries a moderate confidence level, reinforcing concerns about state-affiliated hacking operations.
Polonium’s operations have reportedly affected over 20 organizations in Israel, including a notable intergovernmental agency operating in Lebanon since February 2022. Sectors targeted by the group span manufacturing, IT, and healthcare, among others, with one attack involving a cloud service provider that compromised clients in the aviation industry.
Initial access in these incidents is believed to have been achieved by exploiting a vulnerability in Fortinet appliances, specifically path traversal flaws (CVE-2018-13379). This exploitation enabled the deployment of custom PowerShell implants, such as CreepySnail, facilitating communication with command-and-control (C2) servers for further malicious actions.
The attacks have utilized tailored tools to engage legitimate cloud services like OneDrive and Dropbox as C2 channels, employing malicious applications termed CreepyDrive and CreepyBox for their operations. These implants allow cyber adversaries to manipulate stolen files, establishing a reliable avenue for data exfiltration.
This incident illustrates a growing trend where Iranian threat actors exploit cloud solutions for covert operations. A previous campaign, linked to a group named MalKamak in 2021, showcased the use of Dropbox for similar C2 purposes, aiming to evade detection.
MSTIC also noted that many organizations targeted by Polonium had previously fallen victim to a different Iranian hacker group, MuddyWater, which has been identified by U.S. Cyber Command as a subordinate branch of Iran’s Ministry of Intelligence and Security (MOIS). The significant overlap in victims suggests a coordinated strategy among Iranian cyber actors.
To mitigate the risks posed by such advanced threats, business leaders are advised to implement multi-factor authentication and conduct thorough audits of their partner relationships to limit unnecessary permissions. Adopting these measures can enhance organizational defenses against evolving cyber threats.
