CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys

MITRE Techniques

• [T1552.004] Cloud Credentials – The threat actor scanned public GitHub repositories for exposed AWS IAM credentials and used them to access cloud resources. Quote: “The threat actor also appeared to blocklist AWS accounts that routinely expose IAM credentials.”
• [T1567.002] Exfiltration to Cloud Storage – The payload was stored encrypted on Google Drive and decrypted upon download. Quote: “The payload was stored encrypted and then decrypted upon download.”
• [T1583] Acquire Infrastructure – The actor used semi-random IaC (Terraform) to replicate AWS infrastructure for mining operations. Quote: “We created a semi-random AWS infrastructure using IaC templates for Terraform, which is an IaC provisioning tool to manage and maintain cloud infrastructure.”
• [T1087] Account Discovery – AWS account reconnaissance was performed to gather cloud environment details. Quote: “Figure 3 shows that the threat actor starts by performing an AWS account reconnaissance operation.”
• [T1564] Hide Artifacts – The actor used a VPN to obscure their identity during automated operations. Quote: “the actor was using a virtual private network (VPN) and Google Drive-exported documents to deliver payloads.”