Iranian-Linked POLONIUM Targets Israeli Manufacturing and Defense Industries
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Vulnerability Exploitation,Backdoor,Malware,Supply Chain Compromise
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
POLONIUM, suspected to be coordinating with Iran's Ministry of Intelligence and Security, is actively targeting Israeli organizations across multiple sectors such as critical manufacturing, IT, and defense. The group exploits supply chain vulnerabilities by compromising IT companies to further target downstream organizations like aviation companies and law firms. TTPs include custom implants like CreepyDrive that use cloud services for C2 and data exfiltration. MSTIC also notes overlap with Iranian groups MERCURY, CopyKittens, both in targeted victims and techniques like using AirVPN and OneDrive. Though unconfirmed, around 80% of victims were observed running Fortinet appliances, suggesting a potential CVE-2018-13379 exploitation.
|Sector||Food and Agriculture||Verified|
|Sector||Government Agencies and Services||Verified|
Tip: 9 related IOCs (9 IP, 0 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.