Microsoft has suspended over 20 OneDrive accounts for abusing the file hosting service in order to carry out cyberattacks on Israeli companies across numerous industries, including defense and financial services
Company officials wrote Thursday that they had high confidence the organization behind the attacks, which it dubbed “Polonium,” is based in Lebanon, and said they had moderate confidence that it was collaborating with Iran’s Ministry of Intelligence and Security (MOIS).
“Such collaboration or direction from Tehran would align with a string of revelations since late 2020 that the government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran’s plausible deniability” of direct cyberattacks, Microsoft said.
The company said Polonium has targeted organizations previously targeted by Mercury, an identified “subordinate element” within MOIS, and has used similar tactics to those of Iranian cyber groups “Lyceum” and “CopyKittens.”
Microsoft suggested that these factors point to possible “hand-off” operations, whereby MOIS provides Polonium with access to previously compromised victim environments in order to execute new activity.
Get The Times of Israel's Daily Edition by email and never miss our top stories
By signing up, you agree to the terms
Microsoft has not linked any of Polonium’s attacks to those of other groups based in Lebanon, including Volatile Cedar, a cyber espionage group.
Microsoft development center in Herzliya Pituah, Oct 30, 2020. (Photo by Gili Yaari/Flash90)
Early last month, the National Cyber Directorate launched a joint venture with the Communications Ministry to strengthen Israeli cybersecurity in the hopes of microsoft blocks lebanese cyberattacks israeli firms possibly directed times israel
