In the cloud, it seems, no one can hear you hack. That, at least, seems to be the inescapable conclusion from last month’s Threat Hunting Report by CrowdStrike. According to the survey, cloud intrusions increased by 136% in the first half of 2025. Most notably, 81% of these intrusions did not involve the use of malware.
Instead of deploying malicious software, attackers are increasingly relying on stolen credentials to gain access and operate within legitimate systems. This shift means that many traditional detection methods built to flag malicious code are being bypassed entirely.
Credential theft and cloud intrusions
The data shows that threat groups, including China-linked actors such as Genesis Panda and Murky Panda, have become adept at using cloud infrastructure as part of their operations.
In a typical case, Genesis Panda compromises a cloud-hosted server and queries the Instance Metadata Service to obtain cloud control plane credentials. These credentials allow them to export large volumes of data from storage buckets, create new accounts for ongoing access, and search systematically for sensitive information.
Because the attackers are using authorised APIs and commands, these activities can appear legitimate to monitoring systems. This makes it far more difficult for compliance teams to spot a problem in time to prevent a breach.
Insider threat enhanced by technology
There has also been a significant increase in insider-style attacks. North Korea-linked Famous Chollima has infiltrated more than 320 companies in the past year, representing a 220% increase. In these cases, attackers do not break in but join the organisation as employees, using generative AI to prepare convincing résumés, pass remote interviews and maintain the appearance of regular productivity. These roles are often in positions with high levels of access, including developers, database administrators, and IT staff.
Once inside, they can steadily collect intellectual property, customer records, source code, and other sensitive materials. These operations often continue for months before they are detected, by which point significant volumes of data may already have been removed.
The move to cloud services has given organisations flexibility, but it has also provided attackers with a highly effective route for data theft. Cloud environments offer scalability, distributed infrastructure, and activity patterns that can be difficult to distinguish from normal operations.
Ransomware groups like Blockade Spider have adapted their methods to take advantage of this. Rather than focusing solely on encrypting endpoint files, they also compromise cloud accounts to access backups, capture credentials from virtualisation platforms, and set up persistence across both on-premises and cloud systems. By targeting backup and disaster recovery systems, they increase the pressure on organisations to meet ransom demands.
For compliance teams, this cross-platform activity creates added complexity. Data that is secure in one system can be exposed when accessed through another, particularly if the virtualisation layer or cloud management controls are compromised.
Practical steps for defence
With most intrusions now avoiding malware entirely, the emphasis in security needs to shift. When attackers operate with valid credentials, the key control point becomes identity rather than the network perimeter. There is a clear need today for data-centric security that protects the data itself and detects misuse, over and above relying solely on keeping attackers out.
In my view, organisations should prioritise embedding data governance tracking and control. CISOs would be wise to maintain a real-time inventory of where sensitive data resides, who has access to it, and how it is being used. They must apply governance policies that enforce retention limits, classify data automatically, and prevent transfers that breach compliance rules. This approach ensures security teams and compliance officers have the information needed to identify unusual access, prevent unauthorised sharing, and demonstrate control to regulators.
Data must also be encrypted while in use as well as at rest. Attribute-based access controls (ABAC) can help ensure that access decisions are based on more than just user identity. Time, location, and behaviour can all be factored in to detect unusual patterns. CISOs would also be well-advised to implement continuous verification and monitor for deviations from normal account behaviour. Unified monitoring and detailed audit logging across cloud and on-premises systems, too, are essential. Attackers can move quickly from compromise to exfiltration, so detection needs to be equally fast.
Finally, identity monitoring, access controls, anomaly detection, and data activity tracking should be connected so that one alert can trigger follow-up actions elsewhere. This reduces the time attackers can operate without being noticed.
Updating compliance approaches
CrowdStrike’s report also highlights an important point for compliance leaders: frameworks and audits need to adapt to new attack methods. Compliance programmes have often been built around set controls and periodic checks. However, when attackers operate entirely within those controls, compliance does not guarantee security.
Moving towards continuous, risk-based compliance is critical. This means aligning compliance activities with current threat intelligence, monitoring on an ongoing basis, and adding compensating controls where needed.
Attackers can and will use legitimate systems, processes, and accounts to reach their goals. As such, defenders should consider how those with valid credentials could misuse them, and which systems would be most vulnerable.
This perspective can help guide investment in monitoring, access controls, and security processes that address the real-world tactics being used now. Not just the threats that older frameworks were built to manage.
The 136% increase in cloud intrusions is a clear sign that attack methods are evolving quickly. Organisations need to focus less on stopping malware at the perimeter and more on controlling and monitoring access, wherever it happens.
By strengthening identity controls, applying zero-trust principles, ensuring visibility across all systems, and updating compliance programmes to reflect active threats, organisations can reduce the risk of falling victim to these newer forms of attack.
John Lynch is a director at Kiteworks
Read more: No, your backup is not an archive
