New data from Google Cloud finds that basic security failures continue to drive the majority of cloud compromises, even as threat activity grows more sophisticated. The analysis shows that weak or absent credentials accounted for 47.1 % of observed cloud security incidents, making identity compromise the most common initial access vector. Misconfigurations represented 29.4 %, while compromised APIs or user interfaces accounted for 11.8 %, highlighting the continued exposure created by poor identity controls and cloud configuration practices.
In its ‘Cloud Threat Horizons Report H2 2025,’ Google Cloud points to increasingly adaptive tactics by threat actors operating in cloud environments. Researchers observed attackers abusing legitimate cloud infrastructure, including storage services and developer repositories, to host malicious files or decoy documents designed to trigger malware downloads. In several cases, adversaries also relied on social engineering and stolen session cookies to bypass multifactor authentication and maintain persistent access to cloud resources.
Once inside an environment, attackers frequently attempt lateral movement to locate credentials, private keys, and access tokens that enable deeper control over workloads and sensitive data. The findings underscore the need for stronger identity security, least privilege access controls, and continuous monitoring of cloud configurations to reduce the risk of data theft and operational disruption.
Compared to the second half of 2024, Google Cloud observed a 4.9% decrease in misconfiguration-based access and a 5.3% decrease in API/UI compromises. This shift appears to be partly absorbed by the rise of leaked credentials representing 2.9% of initial access in the first half of 2025. This highlights an urgent, evolving risk: the exploitation of credentials discovered on dark web sources, underscoring the critical need for rapid detection and remediation strategies. Google Cloud has integrations with partners to identify and notify customers of leaked credentials, along with configurations to disable leaked keys before threat actors can exploit them automatically.
Google reported on another vector, remote code execution (RCE), which accounted for 2.9% of initial access in the first half of 2025. “While this figure remains consistent with previous Cloud Threat Horizons Reports, its persistence underscores the critical need for effective, timely patch management. Recognizing this ongoing threat posed by vulnerabilities that can lead to RCE, the Google Cloud CISO Security Engineering (CCSE) Cloud Vulnerabilities Research (CVR) team proactively discovered critical Rsync vulnerabilities in Q4 2024. These flaws, if exploited by threat actors, could enable RCE leading to significant supply chain compromises.”
It added that subsequent coordinated disclosure with the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and industry partners in the first quarter of 2025 demonstrates Google Cloud’s dedication to improving global cloud security by addressing these pervasive threats.
Mitigating the initial access vectors identified in the Cloud Threat Horizons Report H2 2025 requires a defense-in-depth strategy that combines strong identity governance, proactive threat detection, and continuous oversight of cloud security posture.
Organizations should begin by strengthening identity and access management controls. Permissions granted to both human users and service accounts should be audited regularly to identify and remove excessive access in line with the principle of least privilege. Tools such as Google IAM Recommender can help detect and reduce unnecessary permissions automatically, ensuring that users and services maintain only the access required for their roles. Regular reviews of IAM policies can limit the potential impact of compromised credentials or exposed API keys.
Strengthening cloud security requires moving beyond traditional network defenses and focusing on identity-driven protections and continuous visibility. Implementing Identity-Aware Proxy helps secure applications by enforcing identity-based authentication and authorization, creating a centralized control point that reduces exposure to credential theft and vulnerability exploitation. Organizations should also monitor for leaked credentials through Google Cloud integrations that scan public sources for exposed keys and can automatically disable them before they are abused.
At the same time, maintaining strong visibility across cloud environments is essential. Platforms such as Google Security Command Center enable continuous monitoring for misconfigurations, vulnerabilities, and active threats, while vulnerability detection and container image scanning in Artifact Registry help identify weaknesses in applications and operating systems. Timely patching remains one of the most effective defenses against remote code execution attacks that frequently target unpatched software.
Google Cloud warns that destructive cyberattacks such as ransomware increasingly extend beyond technical disruption, causing prolonged business downtime and significant financial losses when operations are interrupted. According to the M-Trends 2025, financially motivated cybercriminals are no longer targeting only production systems and data but are also actively pursuing backup infrastructure and recovery platforms.
Incident response teams at Mandiant report that traditional disaster recovery strategies, which focus mainly on technical restoration, often fall short after a cyberattack because organizations must also rebuild operational trust with partners and third parties.
Threat actors are increasingly attacking backup environments to undermine recovery efforts. For example, the group UNC2165, which has used ransomware families such as RansomHub, has been observed accessing victims’ cloud-based data backups, deleting backup routines and stored data, and altering user permissions to disrupt response and recovery. Researchers have also linked similar activity to UNC4393, previously associated with Black Basta, and UNC2465, which has been tied to ransomware campaigns involving DarkSide and LockBit that have also targeted backup platforms.
The Cloud Threat Horizons Report H2 2025 notes that recovery from large-scale ransomware attacks is often slowed by operational challenges such as unavailable backup data, limited production capacity during forensic investigations, prolonged restoration timelines, inaccessible recovery plans stored within affected environments, and undefined recovery objectives. Attacks can also disrupt critical infrastructure dependencies, including Active Directory, DNS, DHCP, virtualization platforms, and security tools, meaning organizations may need to restore these core services before backup systems and data recovery processes can begin.
Common recovery strategies focus on how organizations restore systems and data after an incident, particularly a large-scale event such as a ransomware attack. The recovery approach ultimately depends on the condition in which attackers leave the environment and the level of preparation that was in place before the attack.
Organizations should design recovery architectures with business Recovery Time Objectives in mind. Aligning RTO requirements with an understanding of likely threat tactics helps organizations weigh the risks and tradeoffs of different recovery strategies while maintaining resilience.
One option is a Cloud Isolated Recovery Environment, which combines a secure data vault with a dedicated recovery environment. This approach can improve resilience against attacker interference but requires greater preparation and investment. Another strategy involves recovery from an isolated data vault, where recent backups are stored separately to preserve data integrity and availability, though it may still face some of the same limitations as relying on production systems. A third model relies on online or production-integrated backups, which depend on operational production backup systems and infrastructure and may be more vulnerable to disruption by threat actors.
To counter growing threats against backup infrastructure, the Google Cloud recommends adopting a Cloud Isolated Recovery Environment (CIRE) as part of a broader cyber resilience strategy. A CIRE combines several elements: an Isolated Data Vault that stores immutable backups, an Isolated Validation Environment where data can be restored, tested, and cleaned before returning to production, and a secured services layer that isolates and protects the recovery infrastructure itself.
This architecture relies on core cloud capabilities to strengthen recovery readiness. Logical isolation and segmentation separate production environments from backup systems using dedicated networks and strict identity controls, while immutable storage, such as Google Cloud Storage with versioning and retention policies, creates tamper-resistant backup vaults. Elastic compute services like Compute Engine and Google Kubernetes Engine allow organizations to rapidly restore and validate data in isolated environments before returning systems to operation.
The approach also integrates cloud native security tools, including Google Security Command Center for vulnerability detection and threat monitoring, Google Security Operations for incident response, and Artifact Registry for secure software images. Secure identity-based access through Identity-Aware Proxy, combined with geographic redundancy across multiple cloud regions, further ensures that organizations can maintain resilient and recoverable backup environments even during large-scale cyber incidents.
The Cloud Threat Horizons Report H2 2025 highlights persistent threats from sophisticated state-sponsored actors targeting cloud environments and digital assets. Researchers from the Google Threat Intelligence Group are tracking UNC4899, which they assess with high confidence to be linked to Reconnaissance General Bureau and overlapping with activity publicly associated with the TraderTraitor operation. Active since at least 2020, the group primarily targets the cryptocurrency and blockchain sectors and has demonstrated the capability to carry out complex supply chain compromises.
The report identified that hackers are increasingly exploiting legitimate cloud storage platforms as part of their initial attack chains, using them to host seemingly harmless decoy files, often PDFs. Analysis from Google Cloud and its Google Threat Intelligence Platform shows that APT (advanced persistent threat) groups and cybercriminals are adopting this tactic to mislead users and trigger malware execution or deeper system compromise. By abusing widely used cloud services, attackers are able to blend malicious activity with normal workplace behavior, making detection far more difficult for defenders and highlighting the need for stronger monitoring and security hygiene.
In many cases, attackers first lure a victim into opening a malicious link or file, such as a document containing a harmful macro. Once opened, the embedded code executes in the background while presenting a benign-looking decoy PDF to the user. The decoy file may be hosted on a cloud storage service or dropped locally by the malware, masking the malicious activity and helping attackers maintain access without raising immediate suspicion.
Last month, Google Cloud called for a ‘shared fate’ cybersecurity model between utilities and data centers as cyberattacks against critical infrastructure grow more sophisticated. The approach moves beyond siloed security efforts to create a unified digital immune system that combines AI-driven threat intelligence with cloud native resilience to help safeguard power grids facing a ‘perfect storm’ of rising electricity demand and legacy infrastructure vulnerabilities.
