Kubernetes Service Account Token Theft Surges 282% as Cybercriminals Target Cloud Infrastructure
Cybercriminals are increasingly targeting Kubernetes environments, with attacks involving stolen service account tokens rising 282% over the past year. The IT sector bore the brunt of these breaches, accounting for 78% of incidents, as threat actors exploit misconfigurations and exposed applications to gain footholds in cloud infrastructure.
Rather than relying on complex container escapes, attackers now focus on stealing Kubernetes identities allowing them to move laterally from a single compromised container to an organization’s core cloud systems. Two recent high-profile attacks underscore the severity of this threat.
In mid-2025, North Korea’s Slow Pisces (Lazarus Group) responsible for a $1.5 billion cryptocurrency heist earlier in the year breached a major crypto exchange by phishing a developer. The attackers deployed a malicious pod into the company’s Kubernetes cluster, extracting a highly privileged service account token. Using this token, they bypassed perimeter security, accessed backend financial systems, and stole millions.
These attacks follow a recurring pattern: threat actors exploit vulnerabilities to infiltrate a container, steal Kubernetes credentials, and escalate privileges to compromise broader cloud infrastructure. Automated tools like Peirates designed to map cluster permissions and extract secrets accelerate this process, enabling rapid lateral movement.
Security failures often stem from overprivileged identities and poor configurations. To mitigate risks, experts recommend:
- Strict Role-Based Access Control (RBAC) to limit pod permissions.
- Short-lived service account tokens to reduce the window for exploitation.
- Runtime monitoring and audit logging to detect anomalous behavior, such as unauthorized script downloads or restricted file access.
Without these safeguards, attackers can chain minor exploits into full-scale cloud compromises making Kubernetes a critical attack surface in modern cyber threats.
Source: https://cyberpress.org/kubernetes-flaws-expose-clouds/
SlowMist cybersecurity rating report: https://www.rankiteo.com/company/slowmist
"id": "SLO1775637310",
"linkid": "slowmist",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'FinTech',
'name': 'Major crypto exchange (unnamed)',
'type': 'Cryptocurrency Exchange'},
{'industry': 'IT'}],
'attack_vector': ['Phishing',
'Exploiting misconfigurations',
'Exposed applications'],
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Service account tokens',
'Financial data']},
'description': 'Cybercriminals are increasingly targeting Kubernetes '
'environments, with attacks involving stolen service account '
'tokens rising 282% over the past year. The IT sector bore the '
'brunt of these breaches, accounting for 78% of incidents, as '
'threat actors exploit misconfigurations and exposed '
'applications to gain footholds in cloud infrastructure. '
'Attackers focus on stealing Kubernetes identities to move '
'laterally from a single compromised container to an '
'organization’s core cloud systems. Two recent high-profile '
'attacks underscore the severity of this threat.',
'impact': {'data_compromised': 'Service account tokens, backend financial '
'systems data',
'financial_loss': '$1.5 billion (cryptocurrency heist context)',
'operational_impact': 'Lateral movement within cloud systems, '
'unauthorized access to core systems',
'revenue_loss': 'Millions (specific crypto exchange incident)',
'systems_affected': ['Kubernetes clusters',
'Cloud infrastructure',
'Backend financial systems']},
'initial_access_broker': {'entry_point': 'Phishing a developer',
'high_value_targets': 'Backend financial systems'},
'lessons_learned': 'Security failures often stem from overprivileged '
'identities and poor configurations. Attackers exploit '
'vulnerabilities to infiltrate containers, steal '
'Kubernetes credentials, and escalate privileges to '
'compromise broader cloud infrastructure.',
'motivation': ['Financial gain', 'Data exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Strict RBAC',
'Short-lived tokens',
'Runtime monitoring'],
'root_causes': ['Overprivileged identities',
'Poor Kubernetes configurations',
'Exploited misconfigurations']},
'recommendations': ['Implement strict Role-Based Access Control (RBAC) to '
'limit pod permissions.',
'Use short-lived service account tokens to reduce the '
'window for exploitation.',
'Deploy runtime monitoring and audit logging to detect '
'anomalous behavior.'],
'references': [{'source': 'Cybersecurity Report'}],
'response': {'enhanced_monitoring': ['Runtime monitoring', 'Audit logging'],
'remediation_measures': ['Strict Role-Based Access Control '
'(RBAC)',
'Short-lived service account tokens']},
'threat_actor': ['Slow Pisces (Lazarus Group)', 'Other cybercriminals'],
'title': 'Kubernetes Service Account Token Theft Surges 282% as '
'Cybercriminals Target Cloud Infrastructure',
'type': 'Cloud Infrastructure Compromise',
'vulnerability_exploited': ['Overprivileged identities',
'Poor Kubernetes configurations']}