Full Report
https://expel.com/blog/incident-report-spotting-an-attacker-in-gcp/
Analysis Summary
# Incident Report: GCP Service Account Compromise and Infrastructure Discovery
## Executive Summary
An attacker gained unauthorized access to a Google Cloud Platform (GCP) environment by compromising a long-lived Service Account key. The threat actor performed extensive discovery and reconnaissance across GCP services, including Compute Engine and Cloud Storage, before being detected and evicted. The timely response prevented data exfiltration or significant operational impact.
## Incident Details
- **Discovery Date:** August 2023
- **Incident Date:** August 2023
- **Affected Organization:** Undisclosed Expel Customer
- **Sector:** Technology/Cloud Services
- **Geography:** Global/Cloud-based
## Timeline of Events
### Initial Access
- **Date/Time:** Day 0 (Detection Day)
- **Vector:** Compromised Service Account (SA) Key.
- **Details:** The attacker utilized a valid JSON key file for a service account named `[REDACTED]-compute-sa`. The exact method of key theft (e.g., public repository leak or compromised developer workstation) was not specified.
### Lateral Movement
- **Reconnaissance:** The attacker moved horizontally between GCP services by querying APIs.
- **Cross-Project Probing:** Testing permissions across multiple GCP projects within the organization's hierarchy.
### Data Exfiltration/Impact
- **Status:** Prevented. While the attacker queried Cloud Storage buckets (`gsutil ls`) and attempted to list VM instances, no large-scale data transfer was observed prior to mitigation.
### Detection & Response
- **Detection:** Expel’s MDR platform flagged suspicious `GetProject` and `ListInstances` calls coming from an IP address not associated with the customer’s known environment.
- **Response:** The security team identified the specific service account key being used, revoked the key, and audited the environment for further unauthorized activity.
## Attack Methodology
- **Initial Access:** Valid Service Account JSON key.
- **Persistence:** None (The attacker relied on the validity of the stolen long-lived key).
- **Privilege Escalation:** Attempted to leverage broad permissions assigned to the Service Account.
- **Defense Evasion:** Used standard GCP SDK/CLI tools to blend in with administrative traffic.
- **Credential Access:** Stolen Service Account key (Pre-incident).
- **Discovery:** Extensive use of `compute.instances.list`, `storage.buckets.list`, and `resourcemanager.projects.get`.
- **Lateral Movement:** Cloud-native movement through API calls across projects.
- **Collection:** Attempted listing of bucket contents.
- **Exfiltration:** None confirmed.
- **Impact:** Potential for data theft and resource misuse (cryptomining/ransomware) had the attack progressed.
## Impact Assessment
- **Financial:** Low (Limited to investigation and remediation costs).
- **Data Breach:** None confirmed; metadata discovery only.
- **Operational:** Minimal; service account rotation required temporary downtime for associated legitimate services.
- **Reputational:** Low; contained internally.
## Indicators of Compromise
- **Network indicators:**
- `146[.]190[.]48[.]22` (DigitalOcean droplet used by attacker)
- `138[.]197[.]153[.]225`
- **Behavioral indicators:**
- High volume of `compute.instances.list` calls from an unrecognized IP.
- Multiple `GetProject` failures followed by successes (permission testing).
- Use of `google-cloud-sdk` from a non-corporate ISP.
## Response Actions
- **Containment:** Immediately disabled/deleted the compromised Service Account key.
- **Eradication:** Screened all other keys for that Service Account; reviewed IAM policies to ensure no backdoors (new users) were created.
- **Recovery:** Provisioned new, rotated keys for legitimate applications and updated environment variables in production.
## Lessons Learned
- **Key Vulnerability:** Long-lived JSON keys are a significant risk; if leaked, they provide instant, bypassable access.
- **Logging Gaps:** Default GCP logging often misses Data Access logs (like `storage.objects.get`) unless specifically enabled, which can hinder forensic investigation.
- **Visibility:** Monitoring "Identity-centric" logs is critical for cloud security.
## Recommendations
- **Shift to Identity Federation:** Use Workload Identity Federation instead of static JSON keys for applications running outside of GCP.
- **Implement Short-lived Credentials:** Use the Service Account Credentials API to generate temporary tokens.
- **Enforce IAM Least Privilege:** Review Service Account roles and remove broad permissions like `Editor` or `Owner`.
- **Enable Enhanced Logging:** Turn on GCP Data Access audit logs for Cloud Storage and other sensitive services.
- **Geofencing/IP Restrictions:** Where possible, restrict API calls to known corporate egress points or VPC Service Controls.