Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific

Iran Threatens Israel's Critical Infrastructure With 'Polonium' Proxy

Cyber mimics life, as Iran uses Lebanese hackers to attack its bête noire.

3 Min Read
Iran and Israel flags on chess pieces
Source: Sameer Chogale via Alamy Stock Photo

Israel's critical infrastructure is under threat from an Iranian proxy hacking group operating in Lebanon.

Iran's partnership with armed militant groups throughout the Middle East is well documented. Less widely known is its collaboration with extranational hackers, like "Polonium" (aka "Plaid Rain"), which since 2021 has seemingly operated with the sole purpose of attacking Israel.

According to Microsoft, in the spring of 2022 alone, Polonium spied on more than 20 Israeli organizations across commercial, critical, and government sectors, including transportation, critical manufacturing, IT, finance, agriculture, and healthcare.

Now the group seems to have taken a step up. On Dec. 4, Israel's National Cyber Directorate warned that Polonium has targeted further critical infrastructure sectors, including water and energy. And besides espionage, the Directorate wrote, "a trend to implement destructive attacks has recently been identified."

Dark Reading has reached out to Israel's Ministry of Defense for further details, but has not yet received a reply.

Polonium's M.O.

From a country with only a few, relatively quiet APT groups — Volatile Cedar, Tempting Cedar, and Dark Caracal — one may be tempted to underestimate Polonium.

But beyond Microsoft's findings on its targets, in October 2022, researchers from ESET found an additional dozen-plus attacks carried out by the same group, in the same year, across even more sectors including engineering, law, communications, marketing, media, insurance, and social services.

For initial access, Polonium most often exploited Fortinet devices — using leaked Fortinet VPN credentials, or via CVE-2018-13379, a CVSS 9.8 "critical"-rated vulnerability in Fortinet devices, patched before the group even came into being. For command-and-control (C2), it preferred cloud services like Microsoft OneDrive, Dropbox, and Mega.

Most notably, in that first year of its operation, the group had deployed no less than seven custom backdoors against their targets, capable of deploying reverse shells, exfiltrating files, taking screenshots, logging keystrokes, taking control of webcams, and more.

And rather than packaging these backdoors as a monolith, the hackers divided them up into fragments – tiny files, each with limited functionality. For example, one dynamic link library (DLL) file would be responsible for screen grabs, and then another took care of uploading them to a C2 server. "The idea is to split functionalities into various components, so that individual components look less suspicious to security software," explains Matias Porolli, malware researcher at ESET.

Even as Polonium evolved its tools and tactics in recent months, it still stuck to this formula.

"In 2023, they've moved away from executables and DLL files and are using scripting languages for their malware. We've observed Python backdoors as well as LUA backdoors," Porolli says, noting that the latter is quite uncommon.

"They still put the configuration for their malware in a separate file. This makes it harder for analysts to understand the flow of execution, in those cases where the analysts don't have all the files used in the attacks," he says.

Iran's Proxy Cyber War

Against the backdrop of war in Gaza, Israel has faced a significant rise in cyberattacks.

For example, three weeks into the war, the Cyber Directorate had already identified more than 40 attempts to compromise digital service and storage providers. "There was an increase in attempts against such companies and even incidents that caused real damage to several companies simultaneously," the agency wrote in an alert.

The greater issue, it explained, was that "the potential for damage may also reach vital entities connected to these companies, whose role in routine and even more so in emergencies is critical, including hospitals, shipping companies, government ministries, and more."

That its attackers are not always the ones pulling the strings only makes defending against them that more difficult, says Maria Cunningham, director of threat research ReliaQuest. "Russia is often the first nation-state that comes to mind here," she says, though "an interesting modus operandi is often displayed by threat actors attributed to North Korea which may well look criminal in nature at first glance."

"This can provide plausible deniability for the attacker; for the defender, it can limit attribution and, more importantly, hinder the understanding of what might come next in the attacker's armory," she says.

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights