From a86d866534d2017aa2a73405978faeb777793e11 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 12 Jul 2022 12:14:27 +0000 Subject: [PATCH] Add POLONIUM TA. --- clusters/threat-actor.json | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a8e651b..5b57f9f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9542,7 +9542,40 @@ }, "uuid": "091a0b69-74de-44b6-bb12-16b7a8fd078b", "value": "ToddyCat" + }, + { + "description": "Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.", + "meta": { + "attribution-confidence": "75", + "cfr-suspected-state-sponsor": [ + "Lebanon", + "Iran" + ], + "cfr-suspected-victims": [ + "Israel" + ], + "cfr-target-category": [ + "Critical manufacturing", + "Defense industrial base", + "Financial services", + "Food and agriculture", + "Government agencies and services", + "Healthcare and public health", + "Information technology", + "Transportation systems" + ], + "cfr-type-of-incident": "Espionage", + "country": [ + "LB", + "IR" + ], + "refs": [ + "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" + ] + }, + "uuid": "3c5129ea-8f18-4bcf-a33b-b5aab0720494", + "value": "POLONIUM" } ], - "version": 229 + "version": 230 }