Microsoft discovers new Iran-backed threat group
Named POLONIUM, the group is likely behind recent attacks on 20+ Israeli defense, IT and critical infrastructure organizations

A previously undocumented cyber threat group affiliated with Iran is most likely behind recent attacks on more than 20 organizations based in Israel and one intergovernmental organization which operates in Lebanon over the past three months.
On Thursday, The Microsoft Threat Intelligence Center (MSTIC) announced that it has managed to successfully detect and disable attack activity abusing OneDrive. The researchers named the group POLONIUM. Its activities appear to be based in Lebanon and coordinated with other actors affiliated with Iran’s Ministry of Intelligence and Security.
“Such collaboration or direction from Tehran would align with a string of revelations since late 2020 that the government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran’s plausible deniability,” says the MSTIC publication.
POLONIUM created legitimate OneDrive accounts, then used them to execute operations via unique tools for command and control (C2) activities.
According to Microsoft, the threat group focused on Israel’s critical manufacturing, IT, transportation, food, finance, healthcare and defense industries, attempting at least one supply chain attack during which it compromised an IT company to target a downstream aviation company and a law firm. Multiple manufacturing companies that serve the Israeli defense industry were also targeted.
This was not the only time Iranian cyber operations made the news last week. On Wednesday, FBI Director Christopher Wray disclosed that the US managed to foil a potential cyberattack backed by the Iranian government against the Boston Children’s Hospital. Wray referred to this as “one of the most despicable cyberattacks I have ever seen.”
Also last week, Iran’s Fars news agency claimed that five Israelis who are cyber and defense experts are under close surveillance and viewed as potential targets. Titled “These are Zionists who should be living in hiding”, the Fars report included the five’s photos, details about their families, home addresses, phone numbers and travel routes.
Israel’s counter-terrorism bureau issued an explicit warning against all non-essential travel to Turkey, fearing Iranian attacks.