Cloud intrusions are unfolding on shorter timelines, with attackers leaning more on unpatched software and compromised identities.
H2 2025 distribution of initial access vectors exploited in Google Cloud (Source: Google)
Google Cloud’s Cloud Threat Horizons Report H1 2026 reflects incident response and intelligence findings from the second half of 2025 and shows how access methods and objectives are changing in cloud and SaaS environments.
Third-party software flaws move ahead of credential abuse
Unpatched third-party applications became the primary initial access path in observed Google Cloud incidents. Software vulnerabilities overtook weak or absent credentials, marking a shift from earlier intrusion patterns that leaned more on password reuse and configuration mistakes.
Attackers targeted externally exposed applications and known vulnerabilities that could be exploited with limited interaction. Remote code execution formed a significant portion of this software-driven access, reflecting automated exploitation of application-layer flaws and internet-facing services.
The window between vulnerability disclosure and mass exploitation collapsed from weeks to days, with threat actors deploying XMRig cryptocurrency miners within approximately 48 hours of public disclosure.
Credential abuse remained common, and misconfiguration continued to provide openings into exposed systems. The leading position of software exploitation places greater weight on application security, patch cycles, and hardening of public services.
“The scariest part of this report is seeing so many more exploits through third-party software, and we have to consider AI-based attacks as a major contributor to this. Rogue organizations are using tools to find and exploit weaknesses in the critical, often open-source software on which all modern stacks are built, and AI is now a huge part of that. It’s not all bad, though, as there’s been a decrease in organizations leaving the keys under the plant pot and an uptick in better credential hygiene,” Matt Saunders, VP DevOps, Adaptavist, told Help Net Security.
Identity perimeters targeted with vishing and token theft
Identity compromise continued to underpin most intrusions involving cloud and SaaS environments. Threat actors leaned on social engineering and stolen authentication material to move through trusted access channels.
Voice-based phishing played a central role. Attackers impersonated internal staff and support personnel to pressure help desks and users into resetting credentials and altering MFA settings. These interactions enabled access that appeared legitimate inside identity systems.
Token theft also featured prominently. Compromised OAuth tokens and other authentication artifacts linked to third-party applications enabled access without traditional login events. That pathway supported large-scale data access using valid sessions tied to trusted integrations.
Email phishing remained active, often paired with credential harvesting and MFA fatigue tactics. Stolen identities also included non-human credentials such as service account keys and developer tokens exposed in earlier incidents or unsecured repositories.
Malicious insiders shift data theft toward cloud storage
Insider activity continued to center on data exfiltration. Reviews of malicious insider cases showed data theft as the dominant form of misconduct, affecting most incidents studied.
Cloud services played a growing role in how insiders removed information. Corporate cloud environments and personally controlled cloud storage became common destinations for sensitive data.
Exfiltration often took place during employment, with additional incidents occurring after individuals left their organizations. Some insiders accessed and removed data during both periods.
Multiple exfiltration methods appeared frequently. Many incidents involved insiders using more than one pathway, such as combining email with cloud storage or removable media.
Personally controlled cloud storage services featured in a notable share of cases. Some insiders relied on multiple cloud platforms to move data outside organizational controls.
Email remained a leading pathway in the historical sample, and its use declined over time. Platform-agnostic cloud services represented the fastest growing method and are projected to become the primary channel for insider data theft.
North Korean actors weaponize Kubernetes for cryptocurrency theft
State-sponsored activity linked to North Korean actors included a campaign that moved from endpoint compromise into cloud infrastructure and Kubernetes workloads. The operation relied on social engineering, abuse of trusted workflows, and living-off-the-cloud techniques to reach financial systems.
Attackers gained a foothold on a developer workstation through a trojanized application and leveraged authenticated sessions and available credentials to pivot into cloud resources. Reconnaissance activity focused on compute instances, bastion hosts, and containerized workloads.
Persistence mechanisms were established by modifying Kubernetes deployment configurations so newly created pods executed attacker-controlled commands. Additional changes targeted CI/CD-related resources to expose service account tokens in logs.
Stolen high-privilege service account tokens enabled privilege escalation and lateral movement into sensitive systems. Access extended to workloads responsible for user identity and financial operations.
Attackers extracted database credentials stored insecurely in environment variables and used them to access production databases. Account controls were modified, enabling unauthorized access to high-value user accounts and financial systems. The campaign ended with multimillion-dollar cryptocurrency theft.
AI-driven supply chain techniques come into focus
An intrusion investigated by Mandiant researchers shows how supply chain compromise and identity trust relationships can escalate from developer tooling into production cloud control. The attack began with a compromised Node Package Manager package that executed malicious code and harvested environment data and authentication tokens from a developer workstation.
A stolen GitHub personal access token enabled unauthorized access to the organization’s source code repositories. The threat actor then abused a GitHub-to-cloud OpenID Connect trust relationship to obtain temporary cloud credentials.
An overly permissive cloud role allowed the deployment of new infrastructure and the creation of administrative privileges. Privilege escalation enabled access to production resources, data exfiltration, and destructive activity in the cloud environment.
The malware also used a LLM tool on the compromised endpoint to identify files of interest, demonstrating how AI tools can assist credential discovery and environment reconnaissance during intrusions.
Saunders said supply chain activity is increasing in frequency and impact. “The report shows that supply chain attacks are also more frequent, with threat actors injecting malicious code into trusted places and having those attacks propagate through pipelines to ultimately steal or destroy data, ironically leveraging the victim’s own automation systems for profit. Fuzzing is so much easier thanks to Generative AI’s ability to learn the context of a potential vulnerability vector, so it’s no surprise that these attacks have multiplied.”
He added that defensive posture needs to adjust. “To fight against this, organizations need to keep up with these techniques, and also limit the blast radius of any potential attack. Zero-trust security approaches are more important than ever, making sure that systems that could be used as a transport for an attack are running with the fewest privileges they need. A robust incident management process to address potential threats and real attacks is also critical.
“The pressure to deliver software faster and safer never stops though, and everyone needs to step up on automating governance to catch changes, including weaknesses, potential attack routes, and actual hackers trying to get in. Just bolting this over the top isn’t enough any more; it needs to be standard practice for everyone,” concluded Saunders.
