Attack Mechanism
Security researchers at Unit 42 have identified a cloud storage attack technique called bucket hijacking that allows threat actors to silently redirect an organization’s active data streams into attacker controlled external storage buckets. The method exploits a fundamental architectural flaw where cloud storage bucket names must be globally unique, meaning the identity of a destination bucket is tied only to its name, not to a specific account owner.
An attacker who compromises a cloud environment and gains bucket deletion permissions can delete the target organization’s active storage bucket and immediately recreate a new bucket with the identical name within their own account. The original data stream, whether a Google Cloud logging sink, AWS S3 replication rule, or Azure Monitor diagnostic export, continues operating autonomously and begins writing data directly into the attacker’s bucket.
Impact and Scope
The attack is particularly dangerous because it is self sustaining. Once the hijack is complete, the legitimate sink or replication configuration continues to appear valid upon inspection, generating no obvious error states and triggering no native alerts. Logs, metrics, and sensitive telemetry flow silently into the attacker’s environment indefinitely. Unit 42 successfully simulated bucket hijacking across multiple services on Google Cloud, AWS, and Microsoft Azure, and all three providers were notified through responsible disclosure.
Researchers note that broad storage administration roles commonly assigned in enterprise environments dramatically increase exposure. In Google Cloud, the standard Storage Admin role grants bucket deletion permissions by default, allowing attackers to reroute data streams without ever touching stream configurations directly. Unit 42 recommends a defense strategy combining least privilege access controls, data perimeter policies, and monitoring alerts for bucket deletion API calls. The technique is not limited to the three providers tested, as any cloud platform relying on globally unique, statically named storage resources could be vulnerable to the same methodology.
Source: Cyber Security News
