Skip to content
Threat Feed
medium advisory

GCP Storage Bucket Deletion for Impact

An adversary may delete a Google Cloud Platform (GCP) storage bucket to disrupt business operations, detected via GCP audit logs.

This threat brief focuses on the malicious deletion of Google Cloud Platform (GCP) storage buckets. Threat actors may target these buckets to disrupt business operations by removing critical data. The detection rule monitors GCP audit logs for bucket deletion events. This activity can lead to significant data loss and service disruption, impacting an organization's ability to function normally. The alert is triggered by the storage.buckets.delete event action within the GCP audit logs. Successful exploitation of this technique could result in prolonged downtime and financial losses.

Attack Chain

  1. The attacker gains unauthorized access to the target's GCP environment, potentially through compromised credentials or a misconfigured IAM role.
  2. The attacker enumerates existing storage buckets within the GCP project to identify targets for deletion.
  3. The attacker uses the gcloud storage buckets delete command or the GCP console to initiate the deletion of a specific storage bucket.
  4. GCP logs the storage.buckets.delete event in the audit logs, capturing details such as the user account, IP address, and timestamp of the deletion.
  5. The targeted storage bucket and its contents are permanently removed from the GCP environment.
  6. The victim organization experiences data loss and potential service disruption due to the unavailability of the deleted data.
  7. The attacker may repeat this process to delete multiple storage buckets, exacerbating the impact and hindering recovery efforts.

Impact

Successful deletion of GCP storage buckets can lead to significant data loss and operational disruption. The impact can range from temporary service outages to permanent data loss, depending on the backup and recovery strategies in place. Industries heavily reliant on cloud storage, such as e-commerce, financial services, and healthcare, are particularly vulnerable. The cost of recovery can be substantial, including expenses related to data restoration, incident response, and reputational damage.

Recommendation

  • Deploy the Sigma rule GCP Storage Bucket Deletion to your SIEM to detect unauthorized bucket deletions.
  • Review IAM policies and enforce the principle of least privilege to limit the potential impact of compromised credentials.
  • Enable versioning on critical storage buckets to facilitate recovery from accidental or malicious deletions (reference: [https://cloud.google.com/storage/docs/key-terms#buckets]).
  • Set up alerts for any future deletion actions on storage buckets to ensure immediate awareness and response to similar threats.
  • Investigate any alerts generated by the Sigma rule, focusing on the user account, IP address, and timestamp associated with the deletion event.

Detection coverage 2

GCP Storage Bucket Deletion

medium

Detects the deletion of a GCP storage bucket based on audit logs.

sigma tactics: impact techniques: T1485 sources: webserver, linux

GCP Storage Bucket Deletion - User Agent

medium

Detects GCP storage bucket deletion by looking for specific user agents associated with bucket deletions

sigma tactics: impact techniques: T1485 sources: webserver, linux

Detection queries are available on the platform. Get full rules →