Microsoft Will Disable Hackers Working With Iranian Intelligence


Microsoft has detected and disabled a previously undocumented Lebanon-based activity group that is working with others affiliated with Iran’s Ministry of Intelligence and Security (MoIS) to attack organizations in Israel.

The Microsoft Threat Intelligence Center (MSTIC) has named the group ‘Polonium’.

The tech giant has suspended over 20 malicious OneDrive applications created by Polonium actors.

“Our goal is to help prevent future activity by sharing the Polonium strategy with the community at large,” the company said in a statement.

The group is linked to the Iranian government and such cooperation or direction from Tehran would align with a string of revelations from late 2020 that ‘the Iranian government is using third parties to conduct cyber operations on its behalf.’

Polonium has in the past three months targeted or compromised an intergovernmental organization with more than 20 organizations based in Israel and operating in Lebanon.

Explained Microsoft, “This actor deployed unique tools that abuse legitimate cloud services for command and control (C2) in most of its victims.

Polonium was observed creating and using legitimate OneDrive accounts, then Those accounts were used as C2 to execute part of their attack operations.”

This activity does not represent any security issue or vulnerabilities on the OneDrive Platform.

Since February, polonium has been seen primarily targeting organizations focusing on critical manufacturing in Israel, IT and Israel’s defense industry.

According to the researchers, in at least one case, Polonium’s agreement with an IT company was used to target a downstream aviation company and law firm in a supply chain attack to gain access to a targeted network of services. Depends on provider credentials.

Trending Today

The latest on what’s moving world – delivered straight to your inbox