Government‑Backed Hackers Exploit Cloudflare Storage for Malaysian Espionage Campaign
What Happened — State‑sponsored actors leveraged Cloudflare’s storage platforms (R2, Workers KV) to host hidden command‑and‑control (C2) infrastructure and to exfiltrate data from targets in Malaysia. Security researchers observed anomalous traffic to Cloudflare‑hosted domains that were used to stage the espionage operation.
Why It Matters for TPRM —
- Third‑party cloud services can be repurposed as covert C2, bypassing traditional perimeter defenses.
- Data exfiltration through legitimate cloud endpoints may evade DLP and network monitoring.
- Reliance on a single provider without granular usage controls expands supply‑chain risk.
Who Is Affected — Government agencies and any Malaysian organizations that employ Cloudflare storage services (e.g., web applications, SaaS platforms).
Recommended Actions —
- Review contracts and security clauses with Cloudflare; ensure visibility into storage usage.
- Enable detailed logging and alerting for Cloudflare‑origin traffic and DNS queries.
- Deploy egress filtering and anomaly detection to spot unusual data flows to Cloudflare domains.
- Conduct a risk assessment of all workloads that depend on Cloudflare’s edge services.
Technical Notes — Attack vector: abuse of Cloudflare storage (R2/Workers KV) for hidden C2 and data exfiltration. No specific CVE reported; the threat leveraged legitimate services rather than a software flaw. Likely exfiltrated classified or sensitive government data. Source: HackRead – Government Backed Hackers Abuse Cloudflare in Malaysian Espionage Campaign