Report: Lebanon-based hacking group attacked Israeli targets with custom backdoors

The advanced persistent threat (APT) group known as Polonium attacked more than a dozen organizations using at least seven custom backdoors since September of last year, according to a new report from ESET. 

The Slovakia-based cybersecurity firm found the group focused “only on Israeli targets,” striking across verticals including “engineering, information technology, law, communications, branding and marketing, media, insurance, and social services.”

Polonium relies on a bespoke set of hacking tools, researchers said. 

“In various attacks carried out by this group over a short period of time, we detected the same component containing minor changes. In some other cases, we have seen a module, coded from scratch, that followed the same logic as some previous components,” ESET reported. “Only in a few cases have we seen the group use publicly available tools or code.”

Those tools include a variety of custom backdoors that feature the ability to take screenshots, spy via webcam, log keystrokes and exfiltrate files, according to ESET. The report included details on several previously undisclosed backdoors deployed by Polonium, written in either C# or C++.

Polonium relies on major cloud providers to hide their command and control infrastructure, ESET noted, including via DropBox, OneDrive, and Mega.

Polonium was first disclosed in a June report from Microsoft, which determined the group was based in Lebanon. The company assessed with “moderate” confidence that the group was coordinating with affiliates of Iran’s Ministry of Intelligence and Security.

Microsoft said it suspended “more than 20 malicious OneDrive applications created by Polonium actors” at the time. 

According to ESET researchers, the group remains active.