ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Polonium

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Polonium

NamesPolonium (Microsft)
Plaid Rain (Microsoft)
CountryLebanon Lebanon
MotivationInformation theft and espionage
First seen2022
Description(Microsoft) MSTIC assesses with high confidence that POLONIUM represents an operational group based in Lebanon. We also assess with moderate confidence that the observed activity was coordinated with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques. Such collaboration or direction from Tehran would align with a string of revelations since late 2020 that the Government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran’s plausible deniability.

POLONIUM has targeted or compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months. This actor has deployed unique tools that abuse legitimate cloud services for command and control (C2) across most of their victims. POLONIUM was observed creating and using legitimate OneDrive accounts, then utilizing those accounts as C2 to execute part of their attack operation.
ObservedSectors: Engineering, Defense, IT, Manufacturing, Media, Telecommunications.
Countries: Israel, Lebanon.
Tools usedCreepyDrive, CreepySnail, DeepCreep, FlipCreep, MegaCreep, PapaCreep, TechnoCreep.
Operations performedSep 2022POLONIUM targets Israel with Creepy malware

Last change to this card: 26 April 2023

Download this actor card in PDF or JSON format

Previous: Poison Carp, Evil Eye
Next: Poseidon Group

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]