Cloud Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Iran-Linked Hackers Use Custom Backdoors on Israeli Targets

Polonium Uses Commercial Cloud Storage Accounts for Command and Control
Iran-Linked Hackers Use Custom Backdoors on Israeli Targets
The Rosh Hanikra border between Israel and Lebanon (Image: Avishai Teicher/CC BY 2.5)

An advanced persistent threat group based in Lebanon and affiliated with Iran is using custom backdoors to target Israeli organizations.

See Also: New OnDemand | Protecting Your Workloads from Modern Threats with VMware Ransomware Recovery

The APT group tracked as Polonium targets organizations across verticals including engineering, information technology, law, communications, branding, marketing, media, insurance and social services.

Telemetry gathered by cybersecurity firm Eset shows the group targeting more than a dozen Israeli organization since last fall, including through an operation detected in September. Microsoft first documented the threat actor's existence in June after it detected the threat actor using OneDrive storage for command and control.

Eset's findings are that the group uses a slew of cloud storage accounts, including Dropbox and Mega, in addition to OneDrive, as part of a suite of custom-coded backdoors. The backdoors, all a variation on the word "creep," such as DeepCreep and MegaCreep, contact the cloud storage accounts to access text files in order to read and execute commands. A backdoor variation known as FlipCreep contacts a Polonium FTP server to access a file named orders.txt.

Iranian state-sponsored hacking - whether directly or through proxies - has risen in prominence over the past decade. Iranian hackers may lack the sophistication of their Chinese or Russia counterparts, but they've achieved goals including a destructive attack against Albania earlier this year. They also have built tools, such as a surreptitious email inbox scrapper.

Researchers from Eset say Polonium backdoors distribute their functionality into small DLLs, "perhaps expecting that defenders or researchers will not observe the complete attack chain."

Once a backdoor is installed, the threat actors may make use of modules for functions such as key logging, taking screenshots, exfiltrating files and executing commands.

How the group gains initial access to the targeted systems remains unknown, but Eset researchers say that some of the victims' Fortinet VPN account credentials were leaked in September 2021 and made available online.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.