Threats Feed|Plaid Rain (Polonium)|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date02/06/2022

Iranian-Linked POLONIUM Targets Israeli Manufacturing and Defense Industries

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Malware,Supply Chain Compromise
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

POLONIUM, suspected to be coordinating with Iran's Ministry of Intelligence and Security, is actively targeting Israeli organizations across multiple sectors such as critical manufacturing, IT, and defense. The group exploits supply chain vulnerabilities by compromising IT companies to further target downstream organizations like aviation companies and law firms. TTPs include custom implants like CreepyDrive that use cloud services for C2 and data exfiltration. MSTIC also notes overlap with Iranian groups MERCURY, CopyKittens, both in targeted victims and techniques like using AirVPN and OneDrive. Though unconfirmed, around 80% of victims were observed running Fortinet appliances, suggesting a potential CVE-2018-13379 exploitation.

Detected Targets

TypeDescriptionConfidence
SectorDefense
Verified
SectorFinancial
Verified
SectorFood and Agriculture
Verified
SectorGovernment Agencies and Services
Verified
SectorInformation Technology
Verified
SectorManufacturing
Verified
SectorAerospace
Verified
SectorHealthcare
Verified
SectorTransportation
Verified
RegionIsrael
Verified
RegionLebanon
Verified

Extracted IOCs

  • 135[.]125.147.170
  • 172[.]96.188.51
  • 185[.]244.129.109
  • 185[.]244.129.79
  • 45[.]80.149.108
  • 45[.]80.149.57
  • 45[.]80.149.68
  • 45[.]80.149.71
  • 51[.]83.246.73
download

Tip: 9 related IOCs (9 IP, 0 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.

Overlaps

PoloniumPOLONIUM Cyber Espionage: Focused Attacks on Israeli Organizations Across Multiple Sectors

Source: ESET - October 2022

Detection (five cases): 185[.]244.129.79, 45[.]80.149.108, 45[.]80.149.68, 45[.]80.149.71, 51[.]83.246.73

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Plaid Rain