Background
POLONIUM is a Lebanon-based cyber espionage group linked to Iran's Ministry of Intelligence and Security (MOIS). First publicly disclosed by Microsoft's Threat Intelligence Center (MSTIC) in June 2022, POLONIUM has been active since at least 2021 and represents an unusual case in the threat landscape โ a nation-state actor (Lebanese) operating as a proxy or partner for another nation-state's (Iranian) intelligence objectives. The arrangement likely reflects Iran's use of Lebanon-based assets through its influence over Hezbollah and Lebanese intelligence networks to conduct operations against Israel while maintaining plausible deniability.
POLONIUM's primary operational focus is Israeli organizations across multiple sectors, with particular emphasis on critical technology companies, defense contractors, law firms, and financial institutions. The group appears to receive targeting guidance from MOIS, coordinating with other MOIS-affiliated actors including MuddyWater (which Microsoft has also publicly tied to MOIS). Microsoft disrupted POLONIUM operations in June 2022 by suspending 20 OneDrive accounts used by the group for command and control, making this one of the few documented cases where a cloud provider took direct action against an APT's operational infrastructure.
The group's geographic positioning in Lebanon, Iran's intelligence relationships with Lebanese entities, and the exclusive focus on Israeli targets collectively support the MOIS attribution. POLONIUM represents the growing pattern of Iranian cyber operations using third-country proxies and partners to extend reach while creating attribution uncertainty.
Notable Campaigns
Israeli Multi-Sector Campaign (2021-2022) โ Microsoft documented POLONIUM compromising over 20 Israeli organizations across defense, IT, legal, and financial sectors. The intrusions maintained persistent access for extended periods, with the group using OneDrive and Dropbox for command and control to evade detection. Victimology included Israeli defense contractors, a defense manufacturing company, a law firm with government clients, and multiple IT companies providing services to the Israeli government.
Supply Chain Pivot Through IT Providers (2022) โ POLONIUM demonstrated a pattern of first compromising Israeli IT service providers, then using the provider's trusted access credentials and VPN connections to pivot into end-client networks. This supply chain approach allowed the group to access highly secured organizations by entering through their less-scrutinized trusted vendors.
Microsoft OneDrive C2 Operations (2021-2022) โ POLONIUM extensively used Microsoft OneDrive as a command-and-control channel, with custom malware that communicated entirely through the OneDrive API using legitimate cloud authentication tokens. This approach allowed C2 traffic to be completely indistinguishable from legitimate OneDrive synchronization activity. Microsoft disrupted this infrastructure in June 2022 by suspending the OneDrive accounts.
Post-Disruption Adaptation (2022-2024) โ Following Microsoft's June 2022 disruption, POLONIUM adapted its tooling and infrastructure, shifting C2 to other cloud platforms and developing new malware variants. ESET documented continued operations against Israeli targets with updated "Creepy" malware variants through 2023.
Tactics, Techniques & Procedures
Cloud Service Command and Control โ POLONIUM's defining characteristic is extensive use of legitimate cloud services for command and control (T1071.003, T1567.002). The group's entire "Creepy" malware family is named for this behavior โ each variant uses a different cloud service (OneDrive, Dropbox, Mega, Google Drive) as its C2 channel. Commands are issued by creating, modifying, or deleting files in cloud storage; implants poll the cloud storage API and execute encoded commands retrieved from specific files.
IT Provider Supply Chain Access โ POLONIUM identifies and targets Israeli IT service providers as an initial vector to reach higher-value end clients (T1078 via stolen credentials, T1195 supply chain). The group obtains VPN credentials and remote access tool configurations from compromised IT providers, then uses these legitimate credentials to authenticate to client networks.
Credential Harvesting โ After establishing initial access, POLONIUM harvests credentials (T1056.001, via keylogging implants) for lateral movement. Remote Desktop Protocol is used for interactive access once credentials are obtained. The group prioritizes access to email servers, file shares, and document management systems containing sensitive information.
Covert Persistent Access โ Persistence mechanisms include registry run keys (T1547.001) and scheduled tasks. The group uses legitimate-looking file names and paths for malware components, mimicking system tools and legitimate software to avoid detection during routine endpoint security scans.
Tools & Malware
- CreepyDrive โ A backdoor communicating exclusively via Microsoft OneDrive API. Executes commands retrieved from a specific OneDrive file, writes output to another file, providing bidirectional C2 without direct network connections to attacker infrastructure.
- CreepySnail โ A PowerShell-based backdoor with OneDrive C2, providing simpler capabilities than CreepyDrive while maintaining the same cloud-based C2 approach.
- FlipCreep โ A backdoor using Dropbox for C2, providing a backup C2 channel when OneDrive is disrupted. Commands and output are exchanged via Dropbox file operations.
- TechnoCreep โ A custom backdoor using FTP-based C2 for environments where cloud service access is restricted. Provides file transfer, command execution, and screenshot capabilities.
- PapaCreep โ A multi-module backdoor capable of establishing a reverse shell, executing commands, and performing persistent monitoring, using cloud storage for C2.
- DeepCreep โ A cloud-based backdoor using Dropbox for C2, designed as an alternative to OneDrive-based tools for environments with Dropbox access but OneDrive restrictions.
- MegaCreep โ A backdoor using the MEGA cloud storage service for C2, providing yet another cloud-service variant in POLONIUM's diversified C2 infrastructure.
Indicators & Detection
Cloud Service Anomaly Detection โ POLONIUM's cloud-based C2 is the most challenging detection surface. Implement user entity behavior analytics (UEBA) to detect unusual patterns of OneDrive, Dropbox, or other cloud storage API usage from endpoints. Monitor for cloud storage client processes accessing unusual file paths, executing at unusual intervals, or making API calls without corresponding user interaction.
IT Vendor Access Monitoring โ Israeli organizations using IT managed service providers should implement zero-trust principles for vendor access. Use privileged access management (PAM) solutions to control and monitor vendor connections. Alert on vendor credential usage outside of approved maintenance windows or from unexpected source IPs. Review all third-party VPN access logs for anomalous activity.
Endpoint Detection โ Detect CreepyDrive and related tools by monitoring for PowerShell processes making OneDrive API calls using OAuth tokens not associated with the signed-in user. Alert on scheduled tasks or registry run keys pointing to files in unusual directories or with encoded command lines. Monitor process creation chains where Office applications or script interpreters spawn cloud service clients.
Defense-in-Depth for High-Value Israeli Organizations โ Israeli defense contractors, law firms with government clients, and financial institutions should implement network segmentation, privileged access workstations, and hardware security keys for all administrative access. Assume POLONIUM has attempted or may have already achieved initial access via compromised IT providers and validate the integrity of all vendor-supplied remote access solutions.