POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925)	Attack Pattern	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	3