Previously unreported Lebanon-based hacking group targeting Israel, Microsoft says

A previously unreported Lebanon-based hacking group with likely ties to Iranian intelligence has targeted more than 20 Israeli organizations since February, Microsoft’s Threat Intelligence Center and Digital Security Unit reported Thursday.

The group, which Microsoft dubbed “Polonium,” targeted or compromised more than 20 organizations in Israel and one unnamed intergovernmental organization with operations in Lebanon “with a focus on critical manafacturing, IT, and Israel’s defense industry,” the researchers wrote. In one case a cloud services provider “was used to target a downstream aviation company and law firm in a supply chain attack.”

The group created legitimate Microsoft OneDrive accounts and then utilized those accounts to execute part of its attack. The observed activity was not related to any security issues or vulnerabilities within OneDrive, the researchers wrote.

It’s still unclear how the attackers gained initial access to their victims’ networks. But roughly 80% of them were running Fortinet appliances, which “suggests, but does not definitively prove” that the Polonium compromised the Fortinet appliances using a three-year-old vulnerability identified as CVE-2018-13379.

Polonium is likely an “operational group based in Lebanon” that may be coordinating with Iran’s Ministry of Intelligence and Security (MOIS), the researchers wrote.

“Such collaboration or direction from Tehran would align with a string of revelations since late 2020 that the Government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran’s plausible deniability,” the Microsoft researchers wrote.

The researchers assessed with “moderate confidence” that Polonium is coordinating with multiple Iranian-linked hacking groups based on common targeting, evidence of possible “hand-off” operations, the use of Microsoft OneDrive for command and control functions and the use of AirVPN, which is common among the groups.

The U.S. government formally linked one of those groups — widely known as “MuddyWater” but tracked by Microsoft as “Mercury” — to the MOIS in January.

Omri Segev Moyal, a co-founder of Israeli incident response firm Profero Cyber Security, told CyberScoop in an online chat Thursday that Microsoft’s research is “once again showing the devastating vulnerability of Fortinet (CVE-2018-13379 aka fortifuck),” referring to a nickname for the vulnerability.

The ongoing exploitation of this particular vulnerability shows “how a single vulnerable appliance can effect a whole country for a long time,” he said, noting that his company’s statistics, as well as those of the Israeli CERT, show that it’s perhaps the most exploited by threat actors targeting Israel.

He also said that Microsoft’s research shows “the sticky connection between [Hezbollah] and MOIS when it comes to [targeting] Israeli cyberspace.”

Microsoft did not tie Polonium to Hezbollah, a Lebanese-based group with deep ties to Iran that the U.S. government designated as a foreign terrorist organization in 1997 and blamed for multiple attacks on U.S. and Israeli targets over the years.

But Segev Moyal noted the documented history of collaboration and coordination between Hezbollah and Iran’s MOIS, which includes “intelligence collection and cyber and disinformation operations across the region,” according to a 2021 report from the U.S. based Middle East Institute.