Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ POLONIUM

🌐POLONIUM

🌐 POLONIUM is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 7 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1005) ↗
14Use cases
0Articles
7Techniques
0IOCs

About this actor (MITRE)

[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess [POLONIUM](https://attack.mitre.org/groups/G1005) has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)

Known aliases

POLONIUMPlaid Rain

Top techniques

T1078 · Valid AccountsT1090 · ProxyT1102.002 · Bidirectional Communication

All other tracked techniques

T1199 · Trusted RelationshipT1567.002 · Exfiltration to Cloud StorageT1583.006 · Web ServicesT1588.002 · Tool

Detection use cases (14)

POLONIUM CreepyDrive / CreepyBox / CreepySnail — PowerShell C2 over OneDrive & Dropbox APIs AI · profile SΣ POLONIUM trusted-relationship VPN logon followed by tunnel/reverse-proxy deployment (Plink/Chisel/Ligolo/Mesh) AI · profile S 1Password impossible-travel sign-in MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Script Interpreter or Package-Install Hook Egress to Free-Tier Edge SaaS Within 5 Minutes of Process Start MITRE match Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read MITRE match Atlassian administrator impersonating user MITRE match Auth0 anomalous attack-protection event spike MITRE match AWS Console login without MFA + impossible travel MITRE match AWS EC2 key-pair created MITRE match Credential-stuffing attack on application MITRE match GitLab password reset from suspicious IP MITRE match Cisco IOS XE Tunnel Interface Configuration MITRE match Cisco NVM - Rclone Execution With Network Activity MITRE match