Microsoft revealed in early June that it had identified and thwarted attacks by a Lebanese-based hacker group. Responding to the name of Polonium, these hackers are suspected of working for the Ministry of Intelligence of the Islamic Republic of Iran (VAJA).
Lebanese pirates sent by Iran
The Microsoft Threat Intelligence Center (MSTIC) has announced that it has suspended more than 20 malicious OneDrive accounts. Cybercriminals reportedly used Microsoft’s cloud storage platform to store stolen data for later use in their attacks.
Russian Evil Corp hackers try to evade US sanctions with RaaS
Over the past three months, Polonium has allegedly used its profiles to compromise around 20 organizations based in Israel as well as an intergovernmental organization with activities in Lebanon. The cybercriminals mainly targeted Israeli companies in the IT and defense industry sector. Microsoft indicates that one of the attacks compromised an IT company to target an aviation company and a law firm in anticipation of an attack on their supply chain. They used credentials stolen from service providers to access networks “. The names of the organizations victims of these actions have not been revealed.
For the moment, the MSTIC affirms that the Polonium group would act from Lebanon. Microsoft researchers are more cautious in linking these acts to VAJA. ” We also estimate with moderate confidence that the activity was coordinated with other actors affiliated with VAJA, primarily due to the common victims and the similarity of tools and techniques used. “Explains the company in its press release.
According to Microsoft’s investigation, members of the VAJA provided Polonium with the compromised access of certain victims. ” Such collaboration or even direction on the part of Tehran would align with the series of revelations that the Iranian government has been using third parties since 2020 to carry out cyberattacks on its behalf. », precise the MSTIC.
Lebanese hackers would have taken advantage of a well-known security flaw in software issued by the cybersecurity company Fortinet: the CVE-2018-13379 vulnerability. Because of this breach, a list of 500,000 Fortinet usernames and passwords leaked onto the Internet last year.
Iran masters cyber espionage with its fingertips
Iran is a master in the art of cyberattacks. In 2010, following a major hack targeting the computers used in its nuclear program, the country decided to invest in cyberspace. In 2012, using his new capabilities, he destroyed nearly 30,000 computers at the oil company Aramco in Saudi Arabia.
At the end of 2020, Microsoft was already alerting to the possible involvement of Iran in the hacking of the mailboxes of American journalists and a candidate for the United States presidential election. Since then, the American authorities have been wary of the offensives and fear for their companies in the telecommunications and energy sector.
More recently, Iran had been suspected of having carried out one of the largest cyberattacks in Israel’s history. All Israeli government sites were inaccessible after a powerful denial of service (DDoS) attack. After all, Iran has for years positioned itself as an opponent of Israel with Lebanon on its side. What reinforce the hypothesis raised by Microsoft which designates Tehran as the mastermind behind the malicious OneDrive accounts.