Report: Lebanon-based hacking group attacked Israeli targets with custom backdoors
Andrea Peterson October 12, 2022

Report: Lebanon-based hacking group attacked Israeli targets with custom backdoors

Andrea Peterson

October 12, 2022

Report: Lebanon-based hacking group attacked Israeli targets with custom backdoors

The advanced persistent threat (APT) group known as Polonium attacked more than a dozen organizations using at least seven custom backdoors since September of last year, according to a new report from ESET. 

The Slovakia-based cybersecurity firm found the group focused “only on Israeli targets,” striking across verticals including “engineering, information technology, law, communications, branding and marketing, media, insurance, and social services.”

Polonium relies on a bespoke set of hacking tools, researchers said. 

“In various attacks carried out by this group over a short period of time, we detected the same component containing minor changes. In some other cases, we have seen a module, coded from scratch, that followed the same logic as some previous components,” ESET reported. “Only in a few cases have we seen the group use publicly available tools or code.”

Those tools include a variety of custom backdoors that feature the ability to take screenshots, spy via webcam, log keystrokes and exfiltrate files, according to ESET. The report included details on several previously undisclosed backdoors deployed by Polonium, written in either C# or C++.

Polonium relies on major cloud providers to hide their command and control infrastructure, ESET noted, including via DropBox, OneDrive, and Mega.

Polonium was first disclosed in a June report from Microsoft, which determined the group was based in Lebanon. The company assessed with “moderate” confidence that the group was coordinating with affiliates of Iran’s Ministry of Intelligence and Security.

Microsoft said it suspended “more than 20 malicious OneDrive applications created by Polonium actors” at the time. 

According to ESET researchers, the group remains active.

Andrea Peterson (they/them) was a senior policy correspondent at Recorded Future News and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.