State-backed hackers hide long cloud intrusions in SaaS tools

Cloudflare’s 2026 threat report shows nation-state attackers are using legitimate cloud services such as Google Calendar, Dropbox and GitHub to hide months-long intrusions. Corporate security teams have increased identity controls, logging and monitoring of administrative tools in response.

Cloudflare tracked sustained campaigns linked to Russia, China, North Korea and Iran. These campaigns favor high-trust use of SaaS, IaaS and PaaS rather than deploying noisy malware or one-off data theft.

Security leaders say attackers shifted tactics as companies improved perimeter defenses and signature-based detection. Tony Fergusson, CISO in residence at Zscaler, observes attackers now use trusted processes and mimic routine operations to avoid detection.

Razvan Ionescu of Pentest-Tools.com points to weak monitoring of cloud consoles, endpoint management platforms and scripting environments. He notes many organizations concentrate on perimeter controls and signature detection while leaving administrative tooling less covered.

Experts describe the motive as strategic. Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, states state-backed actors use these methods for espionage, long-term positioning and potential disruption.

Cloudflare’s report identified groups that use benign services for command-and-control, including examples of calendar-based messaging. Analysts say attackers build persistent footholds to retain options during future geopolitical events.

Companies with complex cloud environments face higher risk. Simberkoff highlights cloud-first firms, regulated industries, critical infrastructure providers and organizations with extensive third-party connections as more exposed. Government and defense entities remain primary targets.

AI is used to speed reconnaissance and refine targeting, not to run fully autonomous attacks, according to security specialists. Public sources such as organization charts, job postings and vendor documentation can be analyzed to infer likely technology stacks and access paths.

Recommendations from security professionals focus on detection and containment. Simberkoff recommends strong identity governance, strict least-privilege access and detailed logging of administrative actions. Ionescu emphasizes mapping an organization’s blast radius and applying anomaly detection to administrative behavior rather than relying only on known malware signatures.

Incident response planning should include scenarios for quiet compromises. Tracey Hannan-Jones, consulting director for information security at UBDS Digital, recommends defining what suspicious administrative activity looks like and creating runbooks for identity compromise, token theft and privileged account misuse.

Living off the land attacks exploit the trust in legitimate cloud services and management tools to avoid conventional detection. Security teams that map integrations, monitor administrative activity, enforce least privilege and prepare response playbooks aim to reduce the dwell time of these campaigns.