Polonium Uses Commercial Cloud Storage Accounts for Command-and-Control
An advanced persistent threat group based out of Lebanon and affiliated with Iran is using custom backdoors to target Israeli organizations.
The APT group tracked as Polonium targets organizations across verticals including engineering, information technology, law, communications, branding, marketing, media, insurance and social services.
Telemetry gathered by cybersecurity firm Eset shows the group targeting more than a dozen Israeli organization since last fall, including through an operation detected in September. Microsoft first documented the threat actor’s existence in June after it detected the threat actor using OneDrive storage for command and control.
Eset’s findings are that the group uses a slew of cloud storage account in addition to OneDrive, including Dropbox and Mega, as part of a suite of custom-coded backdoors. The backdoors, all a variation on the word “creep,” such as DeepCreep and MegaCreep, contact the cloud storage accounts to access text files in order to read and execute commands. A backdoor variation known as FlipCreep contacts a Polonium FTP server to access a file named
Iranian state-sponsored hacking – whether directly or through proxies – has risen in prominence over the past decade. Iranian hackers may lack the sophistication of their Chinese or Russia counterparts, but they’ve achieved goals including a destructive attack against Albania earlier this year and built tools such as a surreptitious email inbox scrapper.
Researchers from Eset say Polonium backdoors distribute their functionality into small DLLs, “perhaps expecting that defenders or researchers will not observe the complete attack chain.”
Once a backdoor is installed, the threat actors may make use of modules for functions such as key logging, taking screenshots, exfiltrating files and executing commands.
How the group gains initial access to the targeted systems remains unknown, but Eset researchers say that some of the victim’s Fortinet VPN account credentials were leaked in September 2021 and were made available online.