Iran Threatens Israel's Critical Infrastructure With 'Polonium' Proxy

Cyber Security Threat Summary:
An Iranian proxy hacking group named Polonium, operating from Lebanon poses a serious threat to Israel’s critical infrastructure. Despite being less known than other hacking groups, Polonium has intensified its attacks, targeting multiple Israeli sectors and evolving its tactics over time. Microsoft reported that Polonium spied on over 20 Israeli organizations, including key sectors like Transportation, IT, Finance, and Healthcare in Spring 2022. Recently Isreal’s National Cyber Directorate warned of increased targeting of critical infrastructure sectors like water and energy highlighting a shift towards destructive attacks.

Security Officer Comments:
Polonium's method involves exploiting vulnerabilities in Fortinet devices and utilizing cloud services for command and control operations. Notably, the group developed custom backdoors, dividing functionalities into smaller files to evade security measures. Over time, Polonium has transitioned to using scripting languages like Python and LUA for their malware making it more challenging for analysts to decipher their operations.

Suggested Correction(s):
Organizations can make APT groups’ lives more difficult. Here’s how: Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies. Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively. Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices. Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://www.darkreading.com/