POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	1
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925)	Attack Pattern	POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	1
POLONIUM - G1005 (5f3d0238-d058-44a9-8812-3dd1b6741a8c)	Intrusion Set	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	2
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
CreepyDrive - S1023 (750eb92a-7fdf-451e-9592-1d42357018f1)	Malware	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	3