The threat actor TRIPLESTRENGTH uses stolen credentials and cookies, partially sourced from Racoon infostealer logs, to gain unauthorized access to victim cloud environments. Initially, they exploited legitimate compromised accounts to create compute resources for cryptocurrency mining. Over time, they evolved their tactics, leveraging highly privileged accounts to invite attacker-controlled accounts as billing contacts on victim cloud projects. This allowed them to abuse enhanced billing privileges to deploy extensive compute resources for mining.
Analysis by Google Threat Intelligence Group confirmed their reliance on Racoon infostealer logs for credentials and cookies, granting access to platforms like Google Cloud, Amazon Web Services (AWS), and Linode. Monitoring by Mandiant revealed that TRIPLESTRENGTH affiliates advertise access to servers from prominent providers, including Google Cloud, AWS, Microsoft Azure, Linode, OVHCloud, and DigitalOcean, on Telegram channels.