Microsoft said on Thursday that it has successfully “identified and disabled” a previously unreported Lebanon-based hacking group that it believes is working with Iranian intelligence.
The hacking group, tracked by the Microsoft Threat Intelligence Center (MSTIC) as “Polonium,” targeted or compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months, with a focus on critical manufacturing, IT, and Israel’s defense industry. In one case a cloud services provider “was used to target a downstream aviation company and law firm in a supply chain attack,” Microsoft said in a blog post.
It added that Polonium operators have also targeted multiple victims compromised by the MuddyWater APT group, tracked by Microsoft as Mercury, which U.S. Cyber Command earlier this year linked to Iranian intelligence.
The previously unknown hacking group created legitimate Microsoft OneDrive accounts and then utilized those accounts as command and control (C2) to execute part of their attack operation. The observed activity was not related to any security issues or vulnerabilities within OneDrive, the Microsoft researchers wrote.
MSTIC said it determined high confidence the group behind the attacks is based in Lebanon, adding that they were “moderately” confident that Polonium was collaborating with Iran’s Ministry of Intelligence and Security (MOIS).
“The uniqueness of the victim organizations suggests a convergence of mission requirements with MOIS,” Microsoft said. “It may also be evidence of a ‘hand-off’ operational model where MOIS provides Polonium with access to previously compromised victim environments to execute new activity.”
Microsoft says it successfully suspended more than 20 malicious OneDrive applications created by the Polonium threat actors. The company added that it has also notified affected organizations and deployed a series of security intelligence updates that will quarantine tools developed by the Iran-linked hackers.
It’s still unclear how the attackers gained initial access to their victims’ networks, but Microsoft notes roughly 80% of compromised organizations were running Fortinet appliances, which “suggests, but does not definitively prove” that the Polonium compromised the Fortinet using a three-year-old vulnerability identified as CVE-2018-13379.
Microsoft’s action comes just months after the U.S. government, along with counterparts in Australia and the U.K., warned that Iranian state-backed hackers are targeting U.S. organizations in critical infrastructure sectors — in some cases with ransomware. The advisory said that Iran-backed hackers accessed a web server hosting the domain for a U.S. municipal government in May last year, before accessing the networks of a U.S.-based hospital specializing in healthcare for children the following month.