Skip to content

Hide Navigation Hide TOC

POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set 1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set 1
Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925) Attack Pattern POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set 1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set 1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set 1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware 2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern 3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3