POLONIUM (G1005): Persistent Cyber Espionage Targeting Israel
- Suspected Origin
- Lebanon (coordinated with Iran)
- Motivation
- Espionage
- Aliases
- Plaid Rain
- Target Sectors
- Critical Manufacturing, Information Technology, Defense Industry, Engineering, Law, Communications, Branding and Marketing, Media, Insurance, Social Services
- Associated Malware
- CreepyDrive, CreepySnail, DeepCreep, MegaCreep, FlipCreep, TechnoCreep, PapaCreep, custom keyloggers, screenshot tools, webcam spies, reverse shells, plink, AirVPN
Overview
POLONIUM, also known by the alias Plaid Rain (G1005), is a highly active and persistent cyber espionage group based out of Lebanon. This group has been primarily focused on targeting Israeli organizations since at least February 2022. While operating from Lebanon, security researchers assess that POLONIUM coordinates its operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), a connection inferred from victim overlap and shared tooling or techniques. Their motivation is clearly aligned with intelligence collection, showing no indication of engaging in disruptive or financially motivated activities like ransomware.
POLONIUM’s targeting scope is broad within Israel, encompassing a wide range of critical sectors. Initially identified targets included critical manufacturing, information technology, and defense industry companies. Further research has revealed their intrusions extend to engineering, law firms, communications, branding and marketing, media, insurance, and social services. This diverse victimology suggests a comprehensive intelligence gathering mandate rather than a singular focus on a specific industry, aiming to collect confidential data from their targets.
Tactics & Techniques
POLONIUM employs sophisticated and targeted tactics, techniques, and procedures (TTPs) designed for stealthy and persistent cyber espionage. A hallmark of their operations is the abuse of legitimate cloud services, particularly Microsoft OneDrive, Dropbox, and Mega, for command and control (C2) communications and data exfiltration. This method allows them to blend malicious traffic with legitimate network activity, making detection more challenging. They establish POLONIUM-owned accounts on these platforms to facilitate C2 and store exfiltrated data.
Initial access vectors are not always publicly known, but the group has leveraged compromised credentials to gain access to victim environments. In some instances, they have demonstrated capabilities for supply chain attacks, compromising IT or cloud service providers to pivot and gain access to downstream customers, including law firms and aviation companies. This is a tactic frequently observed with Iranian-linked groups, enhancing plausible deniability. Their use of VPN services like AirVPN for operational activity further obfuscates their true origin.
To maintain persistence and execute commands, POLONIUM often uses PowerShell backdoors and creates scheduled tasks in compromised systems. They are adept at developing modular malware, with components designed to run independently, making detection and analysis more difficult. The group also employs common open-source tools such as plink for SSH access.
Notable Campaigns
POLONIUM’s activity was first publicly documented by Microsoft in June 2022, detailing operations targeting Israeli organizations since February 2022. Microsoft’s initial report highlighted their abuse of OneDrive for C2 and their coordination with Iranian-affiliated actors. In response, Microsoft took action by suspending over 20 malicious OneDrive applications and notifying affected organizations.
Later in October 2022, ESET researchers published a more in-depth analysis, uncovering seven different custom backdoors used by POLONIUM since at least September 2021. This research revealed the extensive and constantly evolving nature of POLONIUM’s toolset and confirmed their highly targeted nature, impacting more than a dozen Israeli organizations across diverse verticals. This continuous development and deployment of new or modified tools underscore their dedication to long-term espionage.
One observed campaign involved POLONIUM compromising a cloud service provider in Israel to then target downstream customers, including a law firm and an aviation company. This illustrates a strategic approach to leverage trusted relationships for wider access, a tactic favored by various Iranian groups.
Associated Malware & Tools
POLONIUM possesses a rich and continuously evolving arsenal of custom malware, primarily backdoors designed for cyber espionage. Their toolset is characterized by the “Creepy” family of backdoors, many of which leverage cloud services for C2. Key custom backdoors include:
- CreepyDrive: A PowerShell backdoor that abuses OneDrive and Dropbox for C2 and data exfiltration.
- CreepySnail: A PowerShell backdoor that communicates with the attackers’ own C2 infrastructure.
- DeepCreep: A C# backdoor utilizing Dropbox for C2.
- MegaCreep: A C# backdoor that makes use of Mega file storage services for C2.
- FlipCreep, TechnoCreep, PapaCreep: These backdoors also receive commands from the attackers’ servers. PapaCreep, specifically identified in September 2022, is a modular backdoor, dividing its functions into smaller components to enhance stealth and persistence.
Beyond these core backdoors, POLONIUM has developed various custom modules for cyberespionage, including tools for taking screenshots, logging keystrokes (supporting both Hebrew and Arabic keyboards), spying via webcams, opening reverse shells, and exfiltrating files. They have been observed using both custom-developed keyloggers and publicly available ones. For network communication and tunneling, they leverage tools like AirVPN and plink. The group’s practice of dividing their malware into small, independent components and utilizing multi-step attack flows indicates a deliberate effort to hinder detection and analysis by security researchers.
Current Status
POLONIUM remains a highly active threat actor. As of the most recent public reporting in October 2022, ESET described them as “very active” and constantly modifying and developing new tools. Their consistent refinement of malware and persistence in targeting Israeli organizations indicate an ongoing, long-term commitment to their espionage objectives. While specific incidents beyond late 2022 are less publicly detailed, the pattern of continuous retooling and targeted activity suggests POLONIUM continues to pose a significant and evolving threat to organizations, particularly those within their specified victimology in Israel. The highly targeted nature of their attacks and the deliberate obfuscation of initial compromise vectors contribute to the limited public intelligence reports, but do not diminish their operational tempo.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call