Threat Actor Profile
High APT
Description

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)

Confidence Score
90%
Known Aliases
POLONIUM Plaid Rain
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (7)
T1090 - Proxy
Command and Control
T1102.002 - Bidirectional Communication
Command and Control
T1078 - Valid Accounts
Defense Evasion
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1199 - Trusted Relationship
Initial Access
T1583.006 - Web Services
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['POLONIUM', 'Plaid Rain'],
 'created': '2022-07-01T19:07:04.253Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[POLONIUM](https://attack.mitre.org/groups/G1005) is a '
                'Lebanon-based group that has primarily targeted Israeli '
                'organizations, including critical manufacturing, information '
                'technology, and defense industry companies, since at least '
                'February 2022. Security researchers assess '
                '[POLONIUM](https://attack.mitre.org/groups/G1005) has '
                'coordinated their operations with multiple actors affiliated '
                'with Iran’s Ministry of Intelligence and Security (MOIS), '
                'based on victim overlap as well as common techniques and '
                'tooling.(Citation: Microsoft POLONIUM June 2022)',
 'external_references': [{'external_id': 'G1005',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1005'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Plaid Rain'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Microsoft. (2022, June 2). Exposing '
                                         'POLONIUM activity and infrastructure '
                                         'targeting Israeli organizations. '
                                         'Retrieved July 1, 2022.',
                          'source_name': 'Microsoft POLONIUM June 2022',
                          'url': 'https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/'}],
 'id': 'intrusion-set--5f3d0238-d058-44a9-8812-3dd1b6741a8c',
 'modified': '2024-01-08T21:56:22.594Z',
 'name': 'POLONIUM',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.0'}
Quick Actions
Related TTPs (7)
Proxy
Command and Control
Bidirectional Communication
Command and Control
Valid Accounts
Defense Evasion
Exfiltration to Cloud Storage
Exfiltration
Trusted Relationship
Initial Access
View All 7 TTPs
Back to Threat Actors
Dashboard Home