A new report out today from Google Cloud’s Office of the CISO dig into a growing trend in the evolution of cyberattacks, the rise of financially motivated threat actors who are now targeting backup infrastructure directly, not just encrypting production systems.
As detailed in the H2 2025 Cloud Threat Horizons Report, Google’s researchers have observed advanced persistent threat groups, including UNC3944, UNC2165 and UNC4393. They’re actively deleting backup routines, corrupting stored data and modifying user permissions to prevent recovery.
The report notes the change in tactics is a significant escalation from earlier tactics: Attackers are aiming to erase any remaining lifelines to force quicker ransom payouts by eliminating restoration paths.
A key trend highlighted in the report is the increasing complexity of cyber recovery, as threat actors now deliberately create prolonged downtime scenarios. The tactics increase business disruption by introducing cascading failures, taking out not only production environments but also the tools and infrastructure necessary for recovery.
The report details that credential compromise and misconfiguration remain dominant initial access vectors, involved in 47% and 29% of cases respectively. Not surprisingly, leaked credentials remain an ongoing concern: The report emphasizes the need for improved identity security and posture management.
The continued misuse of cloud services such as Google Drive, GitHub and Dropbox to host malicious decoy files is also highlighted. Threat actors and other hackers were found to be sharing malicious files, often disguised as harmless PDFs hosted on cloud services, but the files themselves trigger background malware downloads.
Another part of the report details activity from North Korea-aligned group UNC4899, also known as TraderTraitor. It has been bypassing multifactor authentication protections via social engineering and session cookie theft to target cloud-hosted cryptocurrency platforms. Google’s researchers observed the North Korean hackers disabling and later re-enabling MFA to avoid detection, demonstrating an advanced level of both precision and awareness.
The report concludes with advice on how to mitigate the evolving threats, though perhaps a bit self-serving: Google has introduced multiple updates across its ecosystem, including the Verified CRX Upload process for Chrome extensions, which was launched in May. The feature adds a second authentication layer using developer-held private keys to prevent malicious extension updates in the event of OAuth token theft or account compromise.
Image: SiliconANGLE/Reve
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
