Skip to Main Content

Google’s Cloud Service Hacked to Mine Cryptocurrency

December 20, 2021

Google recently launched the Google Cybersecurity Action Team (GCAT) to support digital security efforts and increase customer defenses, especially relating to cloud services. As part of that effort, Google issued their first GCAT Threat Horizons report in late November.

The report, “summarizes actionable intelligence that enables organizations to protect against ever-evolving threats,” states the executive summary.

There are five specific threats included in the report involving cryptocurrency mining abuse, phishing, and malware. While all of these are areas of concern, much attention has been given to the use of Google Cloud Platform (GCP) instances to exploit cryptocurrency mining.

According to the report executive summary:

  •  Of 50 recently compromised GCP instances, 86% of the compromised Cloud instances were used to perform cryptocurrency mining.
  • 10% of compromised Cloud instances were used to conduct scans of other publicly available resources on the Internet to identify vulnerable systems.
  • ·8% of instances were used to attack other targets.

In these instances, it appears the ultimate goal was not to steal data, reports GCAT. However, it still presents a major risk for compromised assets and serves as a reminder to ensure proper security is being applied to cloud services.

“While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation,” reported Bob Mechler and Seth Rosenblatt, both Google Cloud staffers, in a blog post on the Threat Horizons report.

The most frequently identified issue associated with GCP vulnerabilities were weak or no passwords for user accounts or application programming interface (API) connections, with nearly half of all compromised incidents falling into this category. Concerns with third-party software programs came in second, with misconfiguration, leaked credentials, and other issues also creating vulnerabilities.

The report also provides recommendations for mitigating attacks and improving cloud security based on their findings, including:

  • Following password and configuration best practices
  • Ensure third-party software is up to date
  • Implement appropriate preventative tools to identify security vulnerabilities
  • Set up alerts to notify of high resource consumption
  • Avoid publishing credentials on GitHub.

The report provides additional detail on the GCP cryptocurrency mining exploitation as well as the other identified concerns. The other attacks detailed include a large-scale phishing attack against Gmail accounts by Russian attackers, abuse of cloud resources to generate traffic to YouTube for view count manipulation, North Korean attackers posing as Samsung recruiters, and a new ransomware called Black Matter.

You can view the full report or visit the GCAT website for more information on these attacks and for the latest news in the world of cybersecurity.

Want to learn about cybersecurity? View the full list of bachelor’s, master’s and doctorate degrees in cyber and information security. Many courses are available both on campus and online. To learn more about Capitol Tech’s degree programs, contact