After detecting a Lebanese hacking group it calls Polonium abusing its OneDrive personal storage service, Microsoft says it was able to disable the group, which could have links to the Iranian government.
In its latest effort, the advanced persistent threat (APT) targeted more than 20 Israeli organizations and one intergovernmental organization. The Microsoft Threat Intelligence Center (MSTIC) says it suspended more than 20 malicious OneDrive applications created by Polonium actors in the campaign.
Among the targeted organizations were those involved in critical manufacturing, transportation systems, financial services, IT, and Israel’s defense industry, the software giant says – all of which offer an avenue to carry out downstream supply chain attacks.
"In at least one case, Polonium’s compromise of an IT company was used to target a downstream aviation company and law firm in a supply-chain attack that relied on service provider credentials to gain access to the targeted networks," according to MSTIC. "Multiple manufacturing companies they targeted also serve Israel’s defense industry, indicating a Polonium tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access."
Polonium's Infection Routine
In 80% of the observed cases, the group exploited a flaw in Fortinet VPN appliances (likely via CVE-2018-13379 vulnerability) to gain initial access. Then they installed a custom PowerShell implant called CreepySnail on the target networks, according to Microsoft. From there, the actors deployed a set of tools named CreepyDrive and CreepyBox to abuse legitimate cloud services for command-and-control (C2) across most of their victims.
MSTIC says with “moderate confidence” that the attacks were likely carried out with help from Iran’s Ministry of Intelligence and Security (MOIS).
"The observed activity was coordinated with other actors affiliated with Iran's [MOIS], based primarily on victim overlap and commonality of tools and techniques," the MSTIC assessment states. “The tactic of leveraging IT products and service providers to gain access to downstream customers remains a favorite of Iranian actors and their proxies.”
Cyber Operations in Support of State Objectives
Sherrod DeGrippo, Proofpoint’s vice president of threat research and detection, explains that Iran, specifically MOIS, uses a variety of organizations and affiliates to conduct cyber operations in support of Iranian government interests.
“This activity, which spans the spectrum of state responsibility, mirrors Iran’s material support to various organizations,” she says.
From DeGrippo’s perspective, this report demonstrates another example of how Iran and Israel are engaged in cyber conflict and comes amid rising gray zone tensions between Iran and its adversaries.
In March 2021, for example, Proofpoint reported on how the Iran-aligned threat actor TA453 had targeted Israeli and American medical researchers in late 2020. TA453 has historically aligned with Islamic Revolutionary Guard Corps (IRGC) priorities, targeting dissidents, academics, diplomats, and journalists.
“While this campaign may have been a one-off requirement, TA453 targeting Israeli organizations and individuals is consistent with these ever-increasing geopolitical tensions between the two countries,” she noted.
Defense Should Focus on Authentication Activity
Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation, says that while knowing Polonium’s exact motivation is impossible, given the known animosity between the states involved, it’s a “reasonably safe bet” they are trying to do as much damage to their targets as possible as part of a larger agenda.
“State and state-sponsored threat actors compound the problems presented by common cybercriminal groups,” he explains to Dark Reading. “Where criminals are typically after information for sale, data to hold for ransom, or resources to use for further attacks, state-level actors often have additional, much deeper motivations,” such as cyber-espionage or destructive attacks.
Because of the overlap in techniques and tools, it can be difficult to tell the two apart, which can complicate the matter for targeted organizations, he adds.
Fending Off State-Sponsored Cyberattacks
To thwart attacks like these, Microsoft advises that organizations should review all authentication activity throughout their remote access infrastructure and VPNs. A particular focus should be fixed on accounts configured with single-factor authentication, to confirm authenticity and investigate any anomalous activity.
Parkin points out that access and authentication logs can easily reveal suspicious activity and keep an attempted breach from turning into a newsworthy incident.
“There is an old saying from system administration about the uselessness of keeping logs that are never reviewed,” he says. “With access logs, regular reviews for suspicious activity should be happening regularly. If not, why keep them?”
In addition to patching known vulnerabilities, Proofpoint’s DeGrippo also notes that a basic best practice for defense is ensuring that all remote-access accounts are required to enable multifactor authentication (MFA).
“Those accounts that require only single-factor authentication do not have the protection MFA provides, allowing an attacker to successfully phish or social engineer a user’s password without encountering a secondary authentication,” she adds.
VPNs: Taking a Page From Fancy Bear
Phil Neray, vice president of cyber-defense strategy at CardinalOps, a threat coverage optimization company, tells Dark Reading that Russian threat actor Fancy Bear (aka APT28 and Strontium) also targeted VPNs on a large scale in 2018 with the VPNFilter campaign, which similarly targeted critical infrastructure.
MITRE ATT&CK categorizes this approach as T1133 External Remote Services, with recommended mitigations including creating security information and event management (SIEM) detection queries that examine authentication logs for unusual access patterns, windows of activity, and access outside of normal business hours.
“Exploiting vulnerable VPNs as the initial access point, as in this campaign, is also attractive since VPNs are Internet-exposed on one side and provide direct access to the victim network on the other,” Neray says. “We recommend ensuring your SIEM has specific detections for it, such as monitoring for suspicious logins.”