TRIPLESTRENGTH: A Financially Motivated Threat Actor Targeting Cloud Environments for Cryptojacking and Ransomware Attacks

By Ravie Lakshmanan, January 23, 2025

Google has shed light on a financially motivated threat actor named TRIPLESTRENGTH, which has been targeting cloud environments for cryptojacking and on-premise ransomware attacks. According to the tech giant’s cloud division, TRIPLESTRENGTH engages in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity.

Threat Activity

TRIPLESTRENGTH’s threat activity includes illicit cryptocurrency mining, ransomware, and extortion, as well as advertising access to various cloud platforms, including Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean to other threat actors. The actor has been observed advertising access to compromised servers, including those belonging to hosting providers and cloud platforms, on Telegram.

Initial Access

Initial access to target cloud instances is facilitated by means of stolen credentials and cookies, some of which originate from Raccoon information stealer infection logs. The hijacked environments are then abused to create compute resources for mining cryptocurrencies.

Ransomware Deployment

Subsequent versions of the campaign have been found to leverage highly privileged accounts to invite attacker-controlled accounts as billing contacts on the victim’s cloud project in order to set up large compute resources for mining purposes. TRIPLESTRENGTH’s ransomware deployment operations have been focused on on-premises resources, rather than cloud infrastructure, employing lockers such as Phobos, RCRU64, and LokiLocker.

Advertising Access

TRIPLESTRENGTH has also been observed routinely advertising access to compromised servers, including those belonging to hosting providers and cloud platforms, on Telegram. In one RCRU64 ransomware incident in May 2024, the threat actors are said to have gained initial access via remote desktop protocol, followed by performing lateral movement and antivirus defense evasion steps to execute the ransomware on several hosts.

Countermeasures

Google has taken steps to counter these activities by enforcing multi-factor authentication (MFA) to prevent the risk of account takeover and rolling out improved logging to flag sensitive billing actions. "A single stolen credential can initiate a chain reaction, granting attackers access to applications and data, both on-premises and in the cloud," the tech giant said.

Conclusion

TRIPLESTRENGTH’s threat activity highlights the importance of cloud security and the need for organizations to implement robust security measures to prevent unauthorized access and protect against ransomware attacks. By staying informed about the latest threat actors and their tactics, organizations can take proactive steps to protect their cloud environments and prevent financial losses.

Follow Us

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.