GraphLattice
← All field notes
gcppersistent diskfor responders

A disk snapshot is a portable copy: cross-project exfiltration in GCP

An attacker snapshots a sensitive disk and shares it to their own project, mounting it offline. The source VM is never touched, so reimaging it does nothing.

· GraphLattice · 2 min read

Exfiltration does not always mean copying files out one by one. Sometimes the attacker takes a perfect, portable copy of the entire volume and walks it into a project you do not control.

How the attack works

An attacker with broad compute permissions creates a snapshot of a persistent disk attached to a database VM holding regulated data. They then modify the snapshot or image IAM to grant an attacker-controlled project access, or copy the artifact into it. In that project they create a new disk from the shared snapshot, attach it to their own VM, and read the contents offline. The original disk is never touched, so host-level monitoring on the source VM stays quiet, because the whole exposure happens at the storage-artifact layer. The Cloud Audit Logs Admin Activity entries for compute.disks.createSnapshot, snapshots.setIamPolicy, and the cross-project disks.insert form the authoritative chain. This maps to T1537, Transfer Data to Cloud Account, and T1578, Modify Cloud Compute Infrastructure.

Why it works

Snapshot and image IAM was held too broadly and there was no org-policy guardrail on cross-project sharing. Because creating snapshots is normal backup behavior, only the destination, a project outside the organization, betrays the exfiltration.

How to fix it

Reimaging or detaching the source disk is a trap: the data already lives in a snapshot in another project, so nothing you do to the original touches the copy. The real containment is to revoke the cross-project access on the snapshot or image and delete the rogue snapshots so the portable copy no longer exists or is reachable. Durably, restrict snapshot and image IAM to a minimal set, apply org policy to block cross-project and cross-org sharing of these artifacts, and alert on snapshot sharing and cross-project disk creation. Once a snapshot lands in a project you do not control, assume the full volume is exposed.

Practice it

We built this as a GraphLattice Range scenario so responders learn to chase the copied artifact, not the untouched source VM.

More field notes

Browse all →

Cloud Scheduler persistence: a saved cron that outlives every session

A rogue Cloud Scheduler job fires attacker code on a cron as a service account. It …

Turning the lights off first: GCP log sink and audit-config tampering

An attacker deletes the SIEM export sink and disables Data Access logs before the r…

When the key is the data: racing the KMS destruction window on CMEK backups

Destroying the CMEK that encrypts backups makes them unrecoverable, both data denia…