Microsoft disables Iran-linked hacker group targeting Israeli companies

Lebanon-based POLONIUM group targeted over 20 Israeli companies using Microsoft's OneDrive cloud storage platform.

 EVEN AFTER THE Cyberserve/Atraf disaster, Bennett is more afraid of overregulation than he is of lacking the power to save the private sector from its own occasional cyber laziness or cheapness. (photo credit: KACPER PEMPEL/ILLUSTRATION PHOTO/REUTERS)
EVEN AFTER THE Cyberserve/Atraf disaster, Bennett is more afraid of overregulation than he is of lacking the power to save the private sector from its own occasional cyber laziness or cheapness.
(photo credit: KACPER PEMPEL/ILLUSTRATION PHOTO/REUTERS)

Microsoft detected and took down an Iran-linked Lebanese hacking group that targeted more than 20 Israeli organizations and one intergovernmental organization, the tech conglomerate announced Thursday.

The group, which was tracked by Microsoft's Threat Intelligence Center (MSTIC) as POLONIUM, abused the company's OneDrive cloud storage platform for command and control (C2) purposes.

POLONIUM, which was undocumented prior to this breach of OneDrive, "targeted or compromised" over 20 Israeli companies and one intergovernmental organization with operations in Lebanon in the past three months, Microsoft said.

It said MSTIC assessed with high confidence that POLONIUM is Lebanon-based, adding that it could rule with "moderate confidence" that the observed activity was coordinated with Iran's intelligence and security ministry.

"MSTIC assesses with moderate confidence that the observed activity was coordinated with other actors affiliated with Iran's intelligence and security ministry"

Microsoft, June 2
 View of the Microsoft offices in Herzliya, Israel, on May 28, 2021 (credit: MOSHE SHAI/FLASH90) View of the Microsoft offices in Herzliya, Israel, on May 28, 2021 (credit: MOSHE SHAI/FLASH90)

How did POLONIUM target Israeli organizations?

POLONIUM was observed creating and using legitimate OneDrive accounts, then utilizing those accounts as C2 to execute part of their attack operation.

Microsoft noted that the activity does not represent a vulnerability or security issue on the OneDrive platform. However, Microsoft added that it has deployed security intelligence updates that will "quarantine" tools developed by POLONIUM operators.

In addition, Microsoft has suspended more than 20 malicious OneDrive applications created by POLONIUM and informed the affected organizations of the attacks.

According to the company, POLONIUM primarily targeted Israeli organizations which specialize in critical manufacturing and IT, along with major organizations in Israel's defense industry.

Microsoft and Iran-linked hackers

Microsoft has identified and disabled several Iranian-linked attacks on Israeli companies in the recent past.

In October 2021, Microsoft announced that Iranian hackers successfully targeted US and Israeli defense technology companies. More than 250 Microsft Office 365 accounts linked to the US, EU and the Israeli government were hacked into through extensive password spraying.

In addition, Persian Gulf ports of entry and global maritime transportation companies with business presence in the Middle East were also targeted.

In 2019, Microsoft seized 99 Iranian websites used to steal confidential information and launch cyber attacks.