Google has highlighted the activities of a financially motivated threat actor called TRIPLESTRENGTH, known for exploiting cloud environments for cryptojacking and targeting on-premises systems with ransomware. The group’s malicious operations include illicit cryptocurrency mining, ransomware deployment, and advertising access to compromised cloud platforms such as Google Cloud, AWS, Microsoft Azure, Linode, OVHCloud, and DigitalOcean. These activities were detailed in Google’s 11th Threat Horizons Report, which sheds light on the sophisticated methods employed by TRIPLESTRENGTH to exploit cloud resources and infrastructure.
TRIPLESTRENGTH gains initial access to cloud instances using stolen credentials and cookies, often obtained through Raccoon stealer infection logs. Once access is secured, the group creates compute resources to mine cryptocurrency using the unMiner application and unMineable mining pool. They employ both CPU- and GPU-optimized mining algorithms depending on the victim’s systems. In more advanced campaigns, TRIPLESTRENGTH uses privileged accounts to add attacker-controlled billing contacts to cloud projects, allowing them to establish extensive mining operations undetected.
The group’s ransomware operations focus on on-premises systems rather than cloud environments, using tools such as Phobos, RCRU64, and LokiLocker. These attacks often begin with access via remote desktop protocol, followed by lateral movement and antivirus evasion to deploy ransomware on multiple hosts. TRIPLESTRENGTH has also advertised ransomware-as-a-service on Telegram, particularly promoting RCRU64, and sought partners for blackmail and ransomware collaborations. These efforts demonstrate the group’s multifaceted approach to monetizing compromised infrastructure.
Google has responded to TRIPLESTRENGTH’s activities by enhancing security measures, including enforcing multi-factor authentication and improving logging capabilities to detect suspicious billing actions. The tech giant has warned that even a single stolen credential can lead to a chain reaction of compromise, allowing attackers to gain access to sensitive data and manipulate systems for further attacks. Google emphasizes the importance of robust cloud security practices, including regular monitoring and securing privileged accounts, to mitigate risks posed by advanced threat actors like TRIPLESTRENGTH.
