ArchiveOODA OriginalSecurity and Resiliency

Google Cybersecurity Action Team Releases First Cloud Threat Intel Report

Google’s Cybersecurity Action Team was launched in early October of this year, as part of the company’s $10 billion pledge to strengthen cybersecurity, all of which grew out of the launch in August, by CISA Director Jen Easterly, of the CISA JCDC (Joint Cyber Defense Collaborative). Google is a partner company with CISA in the JCDC.

The Cybersecurity Action Team’s efforts begin with Google Cloud.  They recently released their first publicly available intelligence offering – Threat Horizons, Cloud Threat Intelligence, November 2021, Issue 1 – a monthly report based on “threat intelligence observations from the Threat Analysis Group (TAG), Google Cloud Security and Trust Center, Google Cloud Threat Intelligence for Chronicle, Trust and Safety, and other internal teams.” The report provides:

  • Actionable intelligence that enables organizations to ensure their cloud environments are best protected against ever-evolving threats; and
  • Threat horizon scanning, trend tracking, and Early Warning announcements about emerging threats requiring immediate action.

At the same time as the launch of the Cybersecurity Action Team initiative by Google, the company announced that CrowdStrike will provide endpoint protection and Palo Alto Networks will provide network protection for Google Cloud customers. The entire cybersecurity initiative is also aligned with the NIST Cybersecurity Framework.

From the Inaugural Threat Horizons Report

Due to the sheer scale of Google and Google Cloud, the company’s findings and recommendations promise to be best-in-class and the entire report is worth a detailed review.  The report begins by reinforcing that cybersecurity fundamentals still matter:  “While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation.”

Current threats observed include:

  • Compromised Google Cloud Platform (GCP)  instances used for cryptocurrency mining:  Malicious actors were observed performing cryptocurrency mining within compromised Cloud instances. Of 50 recently compromised GCP instances, 86% of the compromised Cloud instances were used to perform cryptocurrency mining, a Cloud resource-intensive, for-profit activity. Additionally, 10% of compromised Cloud instances were used to conduct scans of other publicly available resources on the Internet to identify vulnerable systems, and 8% of instances were used to attack other targets. While data theft did not appear to be the objective of these compromises, it remains a risk associated with the cloud asset compromises as bad actors start performing multiple forms of abuse.
  • North Korean actors impersonate employment recruiters:  TAG observed a North Korean government-backed attacker group that has previously targeted security researchers posing as Samsung recruiters and sending fake job opportunities to employees at multiple South Korean information security companies that sell anti-malware solutions. The emails included a PDF allegedly claiming to be of a job description for a role at Samsung; however, the PDFs were malformed and did not open in a standard PDF reader.  When targets replied that they could not open the job description, attackers responded with a malicious link to malware purporting to be a “Secure PDF Reader” stored in Google Drive which has now been blocked.
  • Fraudsters employ new Threat, Tactics, and Procedures (TTPs) to abuse Google Cloud resources: TAG observed a group of attackers abusing Google Cloud resources to generate traffic to YouTube for view count manipulation. Attackers have also used various approaches to gain free Cloud credits, including the use of free trial projects, abusing start-up credits with fake companies, and joining Google Developer Communities for free projects. Upon detection and enforcement by Google’s Cloud abuse team, the attackers quickly switched to Qwiklab projects and the Cloud abuse team pivoted to counter this offensive.
  • Black Matter ransomware rises out of DarkSide: Based on research from Google Cloud Threat Intelligence for Chronicle, Black Matter is one of many ransomware families currently being used to extort money from victims by locking their files using encryption; however, the ransomware does not transfer files off-network as its ransom note claims. While the Black Matter group is a relatively new player in this space, evidence suggests it is the immediate offspring of DarkSide. Black Matter is capable of encrypting files on a victim’s hard drive and network shares in a relatively short period of time by distributing the workload across multiple threads.
  • Russia launches Gmail phishing campaign: Based on research from Google’s Threat Analysis Group (TAG), the Russian government-backed attackers APT28/Fancy Bear, which typically targeted Yahoo! and Microsoft users, was observed at the end of September sending a large-scale attack to approximately 12K+ Gmail accounts in a credential phishing campaign. The attackers were
    using patterns similar to TAG’s government-backed attack alerts to lure users to change their credentials on the attacker’s phishing page. Google blocked these messages and no users were compromised.

Source:  Google Cybersecurity Action Team, Threat Horizons, Cloud Threat Intelligence, November 2021, Issue 1


If your organization has experienced any of the abovementioned activities, consult the report for specific actions and mitigations. If you are not a GCP customer, their threat findings and recommendations apply in a general way to all cloud-based XaaS platforms and products, as the vulnerabilities are not specific to the GCP platform and exist on other industry offerings.

The report offers a series of cumulative recommendations, which are based on the activities they highlight in the report, as well as “valuable trends and lessons-learned…from other incidents.”  Their ‘high-level’ recommendations include:

Audit published projects to ensure certificates and credentials are not accidentally exposed:  Certificates and credentials are mistakenly included in projects published on GitHub and other repositories on a regular basis. Exposed certificates and credentials could allow an attacker to unauthorized access to your projects in Google Cloud. A regular audit of published projects can help ensure this mistake can be detected and fixed quickly.

Code downloaded by clients should undergo hashing authentication: It is a common practice for clients to download updates and code from cloud resources, raising concern that unauthorized code may be downloaded in the process. Meddler in the Middle (MITM) attacks may cause unauthorized source code to be pulled into production. By hashing and verifying all downloads, the integrity of the software supply chain can be preserved and an effective chain of custody can be established.

Use multiple layers of defense to combat credential and cookie theft. Cloud-hosted resources have the benefit of high availability and “anywhere, anytime” access. While cloud-hosted resources streamline workforce operations, bad actors can try to take advantage of the ubiquitous nature of the cloud to compromise cloud resources. Despite growing public attention to cybersecurity, spear-phishing and social engineering tactics are frequently successful.  As for other forms of IT security, defensive measures need to be robust and layered to protect cloud resources due to ubiquitous access.

Interestingly, no matter how sophisticated the cyberthreat unearthed by this inaugural Google Threat report (based on the vast amount of network traffic they manage) or the complexity of your organization’s cybersecurity implementation, cybersecurity fundamentals still count.

Most of the countermeasures recommended at the end of the report are familiar, such as:  enabling 2-Step Verification on accounts used to access Cloud resources; enforce and monitor password requirements for users; context-Aware Access; and engaging in email best practices.

If you are committed to GCP as your cloud-based service provider, the report has specific recommendations for Google cybersecurity solutions such as  BeyondCorp Enterprise and Work Safer.

Further Resources

For more on the types of threats identified by Google’s Cybersecurity Action Team, see  Cybersecurity Sensemaking | OODA Loop.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along its journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this megatrend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for businesses and governments

From the very beginning of the pandemic, we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision-making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast


Daniel Pereira

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.