December 7, 2023 at 10:29AM
Iranian-backed Lebanese hackers, known as Polonium, have escalated cyberattacks on Israel’s critical infrastructure, expanding from espionage to destructive operations. Microsoft reported Polonium targeted multiple Israeli sectors since 2021, with a recent focus on water and energy. They often use fragmented malware to evade detection. Attacks coincide with increased regional tensions and cyber threats.
Meeting Takeaways:
1. Israeli infrastructure is threatened by “Polonium,” an Iranian proxy hacker group based in Lebanon.
2. Polonium has been actively targeting Israeli organizations since 2021, with an escalation observed in 2022 involving espionage and potentially destructive attacks.
3. The group has targeted a wide range of sectors including commercial, government, critical infrastructure (like water and energy), IT, finance, healthcare, agriculture, engineering, law, communications, marketing, media, insurance, and social services.
4. Microsoft reported Polonium’s activities, observing espionage on over 20 Israeli entities in spring 2022.
5. On December 4th, Israel’s National Cyber Directorate noted a shift in Polonium’s tactics, suggesting a move towards implementing destructive attacks.
6. Polonium exploits vulnerabilities in Fortinet devices and utilizes cloud services such as Microsoft OneDrive, Dropbox, and Mega for C2 purposes.
7. The group is known for using seven different custom backdoors and splitting their functionalities into smaller, less detectable components.
8. In 2023, Polonium has evolved its malware tools, moving from executables and DLL files to scripting languages like Python and LUA, making it harder for security analysts to understand the malware’s execution flow.
9. The Cyber Directorate indicated a rise in cyberattacks during the Gaza war, with over 40 attempts recorded in three weeks aimed at digital service and storage providers, which could indirectly affect critical entities such as hospitals and government ministries.
10. The dynamic nature and indirect methods of these attacks present challenges in defending against them and attributing the attackers, offering them plausible deniability.
It is recommended to continue monitoring the situation, enhance defense measures across all potential sectors at risk, and investigate the attacks for better attribution and prevention strategies. Coordination with international cybersecurity entities is also advised for a more effective response to such proxy cyber wars.