POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	1
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925)	Attack Pattern	1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	3