G1005: POLONIUM
POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.[1]
Analyst context for executives and security teams
POLONIUM matters because the ATT&CK record ties this group to targeted operations against Israeli organizations, including critical manufacturing, IT, and defense, and to behaviors that can blend into normal business activity: valid account abuse, trusted relationships, proxies, legitimate web services, and cloud storage exfiltration. For leaders, the practical issue is not just malware; it is whether identity, third-party access, cloud storage, and endpoint telemetry can distinguish legitimate collaboration from adversary-controlled use of common services.
Executive priority
Prioritize this as a resilience and assurance question for organizations with Israeli exposure, defense/critical manufacturing/IT operations, or sensitive third-party connections. Ask whether the organization can prove who is accessing externally available services, which partners have privileged access, where OneDrive/Dropbox-like traffic is permitted, and whether SOC and IR teams can investigate cloud-based command-and-control or exfiltration without relying only on perimeter alerts.
Technical view
MITRE does not provide a detection section for POLONIUM, so coverage should be validated from the related ATT&CK relationships. Focus on T1078 Valid Accounts, T1199 Trusted Relationship, T1090 Proxy, T1102.002 Bidirectional Communication, T1567.002 Exfiltration to Cloud Storage, and the related custom implants CreepyDrive and CreepySnail. SOC teams should confirm visibility across identity provider sign-ins, remote access, third-party access paths, endpoint PowerShell activity, Windows/Office Suite endpoints where applicable, web proxy/DNS/egress logs, and cloud storage audit events involving OneDrive or Dropbox-like services.
Likely telemetry
- Identity provider authentication logs, MFA events, conditional access decisions, and anomalous sign-in context
- Remote access and externally available service logs such as VPN, webmail, network device access, and remote desktop where present
- Third-party and service provider account activity, privilege use, and access reviews
- Endpoint telemetry for Windows hosts, including PowerShell execution and suspicious script or implant behavior relevant to CreepySnail
- Office Suite and cloud collaboration audit logs, especially OneDrive activity associated with CreepyDrive-related behavior
Detection direction
- Because official POLONIUM detection guidance is not supplied, map detections to the related techniques rather than the group name alone.
- Tune identity detections for impossible travel, atypical source networks, new device/browser patterns, unusual privilege use, and persistence through valid accounts while accounting for legitimate remote work.
- Review third-party access paths for accounts that receive less monitoring than employee accounts; trusted relationships are a material blind spot when they bypass normal access scrutiny.
- Baseline sanctioned cloud storage and collaboration traffic so exfiltration to cloud storage or C2 over legitimate web services does not disappear into normal business use.
- Validate PowerShell logging and endpoint alert fidelity for custom implant-like behavior, but avoid assuming malware signatures alone will provide coverage.
Mitigation priorities
- Start with identity controls: enforce strong authentication, least privilege, rapid credential revocation, and monitoring for externally accessible services.
- Govern trusted relationships: inventory third-party access, require explicit ownership, time-bound privileges, logging, and periodic review of partner/service provider accounts.
- Control and monitor cloud storage use: define sanctioned services, restrict unsanctioned destinations where appropriate, and retain audit logs for uploads, sharing, and large transfers.
- Improve endpoint readiness on relevant Windows and Office Suite environments by enabling script logging, EDR collection, and investigation workflows for suspicious PowerShell activity.
- Harden egress visibility: ensure web proxy, DNS, and firewall logs can support investigations into proxy use and legitimate web service abuse.
Analyst notes and limits
The ATT&CK object describes POLONIUM as Lebanon-based and primarily targeting Israeli organizations since at least February 2022, with Microsoft-assessed coordination with actors affiliated with Iran’s MOIS based on victim overlap and common techniques/tooling. Related software includes CreepyDrive, associated with C2 and exfiltration to actor-controlled OneDrive accounts, and CreepySnail, a custom PowerShell implant. The alias Plaid Rain is included from Microsoft threat actor naming.
Platforms and tactics are not specified on the group object, and no official detection text is provided. Platform and telemetry guidance here is inferred only from supplied related software and technique relationships, so local validation is required before claiming coverage or exposure.
POLONIUM
POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | POLONIUM has used OneDrive and DropBox for C2.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1090 | Proxy | POLONIUM has used the AirVPN service for operational activity.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | POLONIUM has obtained and used tools such as AirVPN and plink in their operations.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1199 | Trusted Relationship | POLONIUM has used compromised credentials from an IT company to target downstream customers including a law firm and aviation company.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1583.006 | Web Services Sub-technique | POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1078 | Valid Accounts | POLONIUM has used valid compromised credentials to gain access to victim environments.CitationMicrosoft POLONIUM June 2022 |
Groups, software, and campaigns
S1023: CreepyDrive
CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[1]
POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[1]
S1024: CreepySnail
CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 8ef1986491d2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft POLONIUM June 2022
Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
Open source URL -
[2]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[3]
Plaid Rain
(Citation: Microsoft Threat Actor Naming July 2023)
-
[4]
mitre-attack G1005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.