On 4 December 2023, Israel's National Cyber Directorate reported an ongoing cooperation between Iranian state-sponsored actors and Polonium, a Lebanon-based operational group which appears to hold an affiliation with Iran's Ministry of Intelligence and Security.
Israel's National Cyber Directorate identified destructive attacks against Israeli critical infrastructure sectors, including water and energy. According to the Israeli report, the attacker was observed leveraging virtual private network (VPN) services for network traffic and PCloud as command-and-control (C2).
Historically, Polonium pursued the exploitation of Fortinet devices, particularly via CVE-2018-13379, and abused cloud services such as Microsoft OneDrive, Dropbox, and Mega as C2, which is consistent with the TTPs observed in the recent events.