Written by AJ Vicens
Jun 2, 2022 | CYBERSCOOP
A previously unreported Lebanon-based hacking group with likely ties to Iranian intelligence has targeted more than 20 Israeli organizations since February, Microsoft’s Threat Intelligence Center and Digital Security Unit reported Thursday.
The group, which Microsoft dubbed “Polonium,” targeted or compromised more than 20 organizations in Israel and one unnamed intergovernmental organization with operations in Lebanon “with a focus on critical manafacturing, IT, and Israel’s defense industry,” the researchers wrote. In one case a cloud services provider “was used to target a downstream aviation company and law firm in a supply chain attack.”
The group created legitimate Microsoft OneDrive accounts and then utilized those accounts to execute part of its attack. The observed activity was not related to any security issues or vulnerabilities within OneDrive, the researchers wrote.
It’s still unclear how the attackers gained initial access to their victims’ networks. But roughly 80% of them were running Fortinet appliances, which “suggests, but does not definitively prove” that the Polonium compromised the Fortinet appliances using a three-year-old vulnerability identified as CVE-2018-13379.
Polonium is likely an “operational group based in Lebanon” that may be coordinating with Iran’s Ministry of Intelligence and