We believe that this shift is a sign of defensive progress. Google’s secure-by-default strategy and enhanced credential protections are likely closing traditional paths, forcing threat actors to adopt faster, more automated paths through unpatched applications. We assess that threat actors are increasingly using AI to accelerate the discovery phase, allowing them to identify and exploit vulnerable software at unprecedented speeds.
As part of our shared fate approach to help build resilient cloud foundations through secure configurations and policies, we made available last week a new recommended security controls checklist.
As we look ahead to 2026, our security experts offer four critical insights from the new report:
- Collapse of the exploitation window: Attack speeds can now be measured in days. For example, during the React2Shell incident, GTIG observed threat actors deploying cryptocurrency miners within approximately 48 hours of the vulnerability’s public disclosure. Organizations shouldn’t wait for patches to be tested to take action. They should pivot to automated defenses — such as Web Application Firewalls (WAF) — to neutralize exploits at the network edge as soon as possible.
- North Korean actors weaponize Kubernetes: The report details a previously undocumented, sophisticated campaign by UNC4899 targeting a cryptocurrency organization. By abusing legitimate DevOps workflows and breaking out of privileged containers, these threat actors stole millions in cryptocurrency. This highlights the critical risk posed by living-off-the-cloud (LOTC) techniques, and the need for strict isolation in cloud runtime environments.
- From CI/CD to cloud destruction: We’re also following supply chain infections targeting the CI/CD pipeline. In one case, compromised node package manager package QUIETVAULT allowed threat actors (UNC6426) to abuse OpenID Connect trust relationships, gaining full Amazon Web Services administrator permissions in less than 72 hours. This crown jewel access vector underscores the need for the principle of least privilege in automated pipelines.
- Anti-forensic and destructive tactics: Sophisticated threat actors are no longer just stealing data; they are sabotaging the evidence. In late 2025, we continued seeing all major ransomware gangs delete logs, core dumps, and backups to hinder recovery and forensic investigations. Moving to high-fidelity, tamper-resistant logging is now a regulatory and operational necessity.
How CISOs can help organizations adapt
As 2026 unfolds — bringing with it geopolitical unrest and major events such as the FIFA World Cup and U.S. midterm elections — threat actors will continue to exploit the trust gap in cloud platforms. We strongly recommend moving toward automated identity-based controls and forensic readiness to navigate these threats.
For deeper technical analysis on these trends, including granular data on malicious insider behavior and risk management recommendations for Google Cloud and platform-agnostic environments, you can download the full H1 2026 Cloud Threat Horizons report here.
Source Credit: https://cloud.google.com/blog/products/identity-security/cloud-ciso-perspectives-new-threat-horizons-report-highlights-current-cloud-threats/
About the Author
