POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925)	Attack Pattern	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3