Skip to content

Hide Navigation Hide TOC

POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 1
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set 1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c) Intrusion Set Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925) Attack Pattern 1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware 2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1) Malware Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern 3