Skip to main content

The next frontier in cloud attacks: Navigating the cyberstorm

 

The modern digital ecosystem is defined by the rapid adoption of cloud services, and this shift has fundamentally altered the cybersecurity threat model.

Threat actors are augmenting traditional, proven attack vectors, like compromised identities and misconfigurations, with AI-driven tools that dramatically reduce the time defenders may have to detect and respond to an intrusion. This means security incidents, once measured in days, can now unfold in minutes.

The AI engine: Compressing time-to-impact

The most significant change in the threat landscape is the acceleration of intrusion speed. Early observations of AI-assisted attacks show AI can amplify the scale and speed of intrusions. Here are some examples of these types of attacks:

Accelerated exfiltration

Security researchers simulated a ransomware attack integrating Generative AI (GenAI) and found that the time required for data exfiltration dropped from a median of two days down to just 25 minutes — an acceleration of approximately 100 times. In real-world cases, data exfiltration took place within the first hour of compromise in nearly one in five cases (19%).

Enhanced social engineering

Large Language Models (LLMs) are used to automate complex tasks. They can craft highly convincing phishing emails that mimic legitimate corporate communications with unprecedented accuracy, increasing the success rate of social engineering campaigns. Another example using AI for conducting a successful attack is using deepfakes, which becomes a more and more common theme. We can also observe a significant improvement in the quality of deepfakes over the last year, which makes it more difficult for an average user to recognize if they are being contacted by AI or a human being.

This compression of the attack timeline and enhanced social engineering demands building your company’s resilience (the ability to detect and contain issues quickly) and employees’ better awareness. The good news is that we can also leverage AI to defend ourselves against AI attacks. AI models got significantly better at detection and triage of incidents. The arguments for using AI for defense are not solely connected to its effectiveness. Conversely, organizations that integrate AI for defensive automation are seeing substantial cost savings, averaging $1.9 million compared to those who do not.

A battle for the perimeter: Identity and APIs

Adversaries succeed by exploiting complexity, gaps in visibility, and excessive trust. Today, these vulnerabilities are most often found across identities and the supply chain.

The identity chaos challenge

The explosive growth of cloud services, microservices, and SaaS environments has dissolved the traditional network perimeter, resulting in immense identity chaos.

Traditional identity systems assume that a user context doesn’t change between logins. However, in a SaaS-first, hybrid world, identity context changes daily, creating invisible gaps.

The number of new identities exploded, and this may change on a daily (or sometimes hourly) basis. It’s more difficult to control them using the old ways of managing IAM. Attackers can easily exploit this lag between context changes (like a role change or project ending) and access changes as an attack surface.

This issue is compounded by non-human identities (NHIs) such as service accounts and API keys which often operate with excessive, static privileges, making them a high-value pivot path for threat actors. Furthermore, the ungoverned adoption of AI tools (often called Shadow AI) introduces unmonitored data flows and immediate compliance risks.

The most practical essential defense that could answer these new threats is identity-centric zero trust — a model that shifts the focus from network location to the continuous verification of all entities, human and machine, neutralizing the issue of excessive trust.

The supply chain vulnerability

Software supply chain and cloud attacks are growing in both frequency and sophistication. API keys have functionally replaced network credentials as the primary means of accessing critical data and executing administrative functions. Attackers increasingly compromise third-party SaaS and cloud providers, exploiting API keys and OAuth tokens for stealthy access.

To combat this, organizations must adopt application security posture management (ASPM). This approach correlates vulnerabilities against runtime context, business impact, and exploitability. ASPM is also helpful in addressing alert fatigue by filtering duplicate and low-priority alerts, allowing teams to focus exclusively on the small percentage of issues that are genuinely reachable and exploitable in production.

Protecting the last line of defense: Cloud ransomware

One thing that did not change over the years when it comes to the biggest cloud-related threats is ransomware, which still remains a prevalent and costly one to affect any organization’s cloud ecosystem. Attacks have evolved from simple encryption to intentional operational disruption and sabotage, affecting 86% of incidents in 2024.

The modern cloud-native ransomware strategy bypasses traditional endpoint defenses by targeting cloud storage and backup APIs.

Attackers utilize the already mentioned over-privileged API keys to perform administrative actions on recovery assets, such as disabling snapshots, altering retention policies, or deleting backups before data encryption takes place. This tactic aims to eliminate viable recovery points, making the attacked organization more likely to pay ransom for the data they may lose.

The fundamental defense against this is the architectural enforcement of data immutability. Again, here we can leverage cloud to support this in a way we would not be able to execute when using just on premise located resources, for example by leveraging cloud-native features to store recovery data in a write once read many (WORM) state, where data cannot be altered, overwritten, or deleted during its required retention period.

The mandate for resilience and governance

The above-mentioned modern threats related to cloud converging threats are being met with increasing regulatory scrutiny, demanding organizations prove their resilience capabilities.

Frameworks like the EU’s Digital Operational Resilience Act (DORA) and the updated NIST Cybersecurity Framework (CSF 2.0) mandate rigorous, proactive strategies. NIST CSF 2.0 introduced the core function GOVERN, ensuring cybersecurity is integrated into organizational governance and strategy. Meanwhile, DORA emphasizes the need to restore operations quickly, often measured in hours or days, prioritizing the Recover function.

Compliance success now hinges on Governance, Risk, and Compliance (GRC) automation. Organizations must integrate security policy directly into development pipelines using policy-as-code, and continuously validate security posture to generate the real-time, evidence-based data necessary for rapid disclosure and audit readiness.

The path forward requires mandatory investments in controls that are proactive, contextual, and automated, ensuring defense accelerates at the same pace as the threat. Investing in identity-centric zero trust, continuous posture management (like ASPM), and recovery immutability are no longer optional expenditures, but critical pillars of modern business resilience.

Building resilience is the only way forward

As cloud environments continue to grow in complexity and importance, organizations can no longer rely on legacy approaches to security and resilience. The dynamic nature of modern threats, particularly the rise of sophisticated ransomware, demands that companies not only harden their defenses but also embrace a culture of continuous improvement and proactive governance. By leveraging automation, adopting cloud-native security features, and embedding resilience into every layer of their operations, businesses position themselves to withstand, recover from, and ultimately thrive in the face of evolving cyber risks.

Ultimately, building resilience is not just about compliance or checking boxes — it is about safeguarding the business, ensuring operational continuity, and maintaining trust with customers and stakeholders. The organizations that prioritize security posture management, governance, and recovery capabilities today will be best prepared to face tomorrow’s challenges, turning resilience from a regulatory mandate into a true competitive advantage.

Learn more about how Atos can be your trusted partner for future-ready cybersecurity solutions and AI-driven security, safeguarding every step of your digital journey: 

Share this article

X IconLinked-in Icon

Gabriela Gorzycka

Cybersecurity Director – Strategic Deals & Engagements

View detailsof Gabriela Gorzycka >
  • Follow Gabriela Gorzycka on LinkedIn
 

Raul Salagean

Global Deputy Product Director for Cloud & Application Security, Atos

View detailsof Raul Salagean >
  • Follow Raul Salagean on LinkedIn
 

Subscribe for regular insights

Thank you for your interest. You can download the report here.
A member of our team will be in touch with you shortly

More on Finding Signal in the Noise

2026 Cyberthreat forecast: What lies ahead

Cybersecurity Tech Predictions for 2026: Operating in a World of Permanent Instability

Identity at the Core: The New Cyber Perimeter

Post-Quantum Security: What CISOs should know now

The transformative power of AI in the Security Operations Centers landscape