Microsoft steps in to disable OneDrive attacks from Lebanese group targeting Israeli orgs

Microsoft on Thursday said it detected and disabled attacks targeting OneDrive from a Lebanon-based group the company named Polonium. 

The tech giant said the incidents were part of a larger wave of attacks Polonium has launched against organizations based in Israel. 

The Microsoft Threat Intelligence Center (MSTIC) said it determined “with moderate confidence” that the group was coordinating its efforts with hackers affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

“To further address this abuse, Microsoft has suspended more than 20 malicious OneDrive applications created by Polonium actors, notified affected organizations, and deployed a series of security intelligence updates that will quarantine tools developed by Polonium operators,” MSTIC explained in a blog post. 

“Our goal with this blog is to help deter future activity by exposing and sharing the POLONIUM tactics with the community at large.”

MSTIC said it was willing to publicly tie the attacks to groups connected to Lebanon and Iran based “primarily on victim overlap and commonality of tools and techniques.” The company claimed the attacks have been ongoing since 2020 and were part of a trend where Iran used third-party groups to carry out cyberattacks so they could plausibly deny responsibility. 

More than 20 organizations based in Israel and one intergovernmental organization based in Lebanon have been attacked by Polonium in the last three months. 

MSTIC noted that the group “deployed unique tools that abuse legitimate cloud services for command and control (C2) across most of their victims.”

“Polonium was observed creating and using legitimate OneDrive accounts, then utilizing those accounts as C2 to execute part of their attack operation. This activity does not represent any security issues or vulnerabilities on the OneDrive platform,” the researchers explained, adding that they don't presently see links between this activity and other groups linked to Lebanon.

Who is 'Polonium'

Since February, Microsoft has seen several attacks launched by Polonium targeting Israeli companies involved in manufacturing, IT, transportation systems, defense industrial base, government agencies and services, food and agriculture, financial services and healthcare.

One attack saw Polonium actors go after an IT company with the aim of crippling a downstream aviation company and a law firm. 

The group has a tendency to specifically target service providers for the Israeli military, hoping the attacks will provide downstream access. Polonium actors were seen by MSTIC deploying custom implants that use cloud services – like OneDrive and Dropbox – for command and control as well as data exfiltration. 

“While OneDrive performs antivirus scanning on all uploaded content, Polonium is not using the cloud service to host their malware. If malware was hosted in the OneDrive account, Microsoft Defender Antivirus detections would block it,” the tech giant explained. 

“Instead, they are interacting with the cloud service in the same way that a legitimate customer would. OneDrive is partnering with MSTIC to identify and disable accounts that are linked to known adversary behavior.”

The company added that it is still investigating how the group gained access to its victims but noted that in about 80% of the attacks, Microsoft saw victims were running Fortinet appliances. While still unsure of the cause, Microsoft said they believe the group is likely exploiting CVE-2018-13379.