Microsoft has suspended over 20 OneDrive accounts for abusing the file hosting service in order to carry out cyberattacks on Israeli companies across numerous industries, including defense and financial services.
Company officials wrote Thursday that they had high confidence the organization behind the attacks, which it dubbed “Polonium,” is based in Lebanon, and said they had moderate confidence that it was collaborating with Iran’s Ministry of Intelligence and Security (MOIS).
“Such collaboration or direction from Tehran would align with a string of revelations since late 2020 that the government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran’s plausible deniability” of direct cyberattacks, Microsoft said.
The company said Polonium has targeted organizations previously targeted by Mercury, an identified “subordinate element” within MOIS, and has used similar tactics to those of Iranian cyber groups “Lyceum” and “CopyKittens.”
Microsoft suggested that these factors point to possible “hand-off” operations, whereby MOIS provides Polonium with access to previously compromised victim environments in order to execute new activity.