The numbers tell a sobering story. Cloud intrusions surged 136% in just the first half of 2025, according to CrowdStrike’s latest Threat Hunting Report. But what should keep data protection officers awake at night is that 81% of these intrusions used zero malware. No viruses, no trojans. Just stolen credentials and patient adversaries who understand a business’s compliance frameworks better than it might think.
This is not the traditional cyberattack narrative. Today’s threat actors are not just breaking down digital doors; they are walking through them with legitimate keys. Exploiting the very tools and processes organisations rely on for innovation and efficiency. For those responsible for data security, privacy, and compliance, this evolution demands a fundamental rethinking of protection strategies.
The shift away from malware-based attacks represents more than a tactical change. It is a complete reimagining of how data breaches occur. China-nexus groups like GENESIS PANDA and MURKY PANDA have demonstrated sophisticated understanding of cloud infrastructure, using Instance Metadata Services to obtain credentials and then leveraging those credentials for systematic data harvesting.
Consider GENESIS PANDA’s approach. After compromising a cloud-hosted server, they query metadata services to obtain cloud control plane credentials. From there, they execute bulk exports from storage buckets, create backdoor accounts for persistent access, and deploy custom tools to automate sensitive data discovery. All this activity generates minimal security alerts because it uses legitimate cloud management APIs. Security systems see authorised API calls, not a data breach in progress.
This presents a compliance nightmare. Traditional data loss prevention solutions struggle to distinguish between legitimate administrative activity and malicious data collection when the adversary is using valid credentials and standard tools. The result? Organisations may not even realise they have experienced a data breach until long after sensitive information has been compromised.
Perhaps the most disturbing trend in data security comes from the weaponisation of generative AI by insider threats. FAMOUS CHOLLIMA, a North Korea-linked group, has infiltrated over 320 companies in the past year – a 220% increase – by using AI at every stage of their operations. They are not breaking in; they are getting hired.
These operatives use AI to craft compelling resumes, deploy deepfake technology during video interviews, and leverage AI coding assistants to appear productive while systematically harvesting sensitive data. Once inside, they use AI translation tools and chatbots to manage multiple simultaneous employments, responding to communications and maintaining their cover while exfiltrating intellectual property, source code, and customer data.
The privacy and compliance implications are profound. When threat actors become legitimate employees, they gain authorised access to everything from HR systems containing personal information to development environments with proprietary code. They attend meetings where sensitive strategies are discussed. They have valid reasons to access customer databases and financial records. Traditional insider threat programs, designed to catch disgruntled employees or careless mistakes, are wholly unprepared for AI-enhanced adversaries who can manage three or four simultaneous positions while appearing to be model employees.
What makes this particularly challenging is that these operatives often target roles with elevated data access. They are not interested in quick theft; they establish long-term positions that provide sustained access to flows of sensitive information. By the time organisations discover the deception, months of data may have been compromised, affecting not just corporate secrets but the personal information of employees and customers.
The 136% surge in cloud intrusions is not just a statistic, it represents a fundamental shift in how organisations must think about data protection. Cloud environments offer adversaries multiple advantages: elastic computing resources, legitimate-looking traffic patterns, and often inconsistent security controls across different services and regions.
Consider how modern ransomware groups operate. They have moved beyond simply encrypting endpoint data. Groups like BLOCKADE SPIDER now compromise cloud environments to access backup systems, dump credentials from virtualisation platforms, and establish multiple persistence mechanisms across both on-premises and cloud infrastructure. They understand that to maximise leverage for ransom demands, they need to compromise not just primary data but also the backups and disaster recovery systems organisations rely on.
This cross-domain movement is particularly challenging for compliance teams. Data that might be properly protected in one environment becomes vulnerable when accessed through another. A database that’s encrypted at rest and protected by strong access controls becomes an open book when an attacker compromises the virtualisation layer it runs on.
So how do organisations protect data when the perimeter is dead and adversaries hold legitimate credentials? The answer lies in adopting a data-centric security model that assumes breach and builds protection around the data itself, not just the systems that house it.
First, implement true zero-trust architecture for data access. This means encrypting data not just at rest and in transit, but in use. It means attribute-based access controls that consider not just who is accessing data, but when, from where, and in what context. When GENESIS PANDA uses legitimate credentials to execute bulk exports, these contextual factors can flag the activity as suspicious even though the credentials are valid.
Second, rethink identity as the new perimeter. With 81% of intrusions being malware-free, identity and access management becomes the primary defence. This requires continuous verification, behavioural baselines, and the ability to detect anomalous access patterns in real-time. When SCATTERED SPIDER compromises an executive account and immediately downloads years of data, the unusual behaviour should trigger alerts. Even with valid credentials.
Third, embrace transparency in the data architecture. Businesses cannot protect what they cannotsee. Comprehensive audit logging must track all data interactions across every communication channel. When adversaries can pivot from compromise to exfiltration in minutes, real-time visibility into data flows becomes critical for both security and compliance.
The key is integration. These capabilities must work together seamlessly. Suspicious identity behaviour triggering enhanced monitoring, unusual access patterns prompting additional authentication, every interaction logged and analysed. This creates a resilient defence that adapts to evolving threats while providing the forensic data essential for compliance.
Traditional compliance frameworks were not designed for a world where adversaries use legitimate tools and credentials. They assume binary states. There is either compliance or not. But when an attacker with valid credentials exports data through approved channels, when does a compliant system become non-compliant?
Organisations need to evolve their compliance programs from checklist exercises to dynamic risk management. This means continuous monitoring rather than point-in-time assessments. It means assuming that some level of compromise is inevitable and building compensating controls. Most importantly, it means aligning compliance activities with actual threat intelligence rather than theoretical risks.
The data security landscape has fundamentally changed. Adversaries no longer need malware when they can steal or socially engineer their way to legitimate credentials. They do not need to break encryption when they can access data through the same interfaces administrators use. They don’t need sophisticated exploits when patient, persistent presence yields better results.
For organisations serious about protecting data in this new reality, the path forward is clear. Adopt zero-trust principles not as a buzzword but as an operational reality. Invest in identity security with the same rigour previously reserved for network security. Build visibility across all domains where data lives and moves. And perhaps most importantly, accept that in a world where legitimate access becomes the attack vector, protecting data requires thinking like an adversary who already has the keys to the kingdom.
The question is not whether adversaries will target an organisation’s data. They already are. The question is whether an organisation’s defences have evolved to meet them where they operate. Inside the environment, using the business’ tools, with legitimate credentials. The 136% surge in cloud intrusions is not just a statistic. It is a wake-up call that the future of data security has already arrived.
Source link
