▾ G11 Media Network: | ChannelCity | ImpresaCity | SecurityOpenLab | Italian Channel Awards | Italian Project Awards | Italian Security Awards | ...
InnovationOpenLab

Sygnia Investigation Finds AI Accelerated Attack Enabled Lone Threat Actor to Rapidly Compromise Enterprise Cloud Environment

Sygnia, the foremost global cyber readiness and response firm, today released the initial findings from its investigation into an active cyberattack in which a lone threat actor used AI as a force mul...

Immagine

Financially motivated cyberattack reveals agentic AI workflows to accelerate victim reconnaissance, attack tool development, command structuring and environment-specific adaptation.

  • AI-assisted attack at scale accelerated initial access to broad cloud compromise within 72 hours.
  • Attacker-developed scripts and malicious code exhibited characteristics consistent with AI generation, indicating code was created or adapted as the intrusion progressed.
  • Threat actor-created artifacts were labeled as “pentest” and “red team,” suggesting an effort to disguise malicious activity and organize attack workflows.

TEL-AVIV & NEW YORK: Sygnia, the foremost global cyber readiness and response firm, today released the initial findings from its investigation into an active cyberattack in which a lone threat actor used AI as a force multiplier to financially extort a global enterprise. The investigation found evidence of attacker-developed scripts, highly parallel activity, and rapid, environment-specific adaptation across cloud services. Together, these attributes are consistent with agentic AI-assisted workflows designed to execute attacks at a speed and scale beyond what is typically expected from a single human operator.

Rather than relying on novel malware or zero-day exploits, the threat actor used AI to execute multiple well-known cloud attack techniques across a broad attack surface at a pace that significantly outstripped the victim's ability to respond. Conducted within an AWS environment, the intrusion did not exploit a single misconfiguration. Instead, it chained together weaknesses across application services, AWS resources, source code repositories, CI/CD pipelines, runtime components, and data stores. Simultaneously, the threat actor rapidly performed credential discovery, secrets harvesting, cloud enumeration, deployment pipeline abuse, runtime modification, database access, and operational disruption.

“Cloud intrusions stemming from exposed secrets and weak identity controls are nothing new. What stood out in our investigation was the speed at which the attacker moved after gaining initial access and the sheer volume of malicious activity executed within a remarkably compressed timeframe,” said Avi Dayan, Vice President of Incident Response at Sygnia. “An attack that would have typically taken weeks to execute all happened under 72 hours. This case underscores a growing challenge for defenders: as large language models and agentic AI become more accessible, they have the potential to lower the barrier to entry, accelerate attack workflows, and enable less sophisticated or resource-constrained threat actors to operate with unprecedented speed and scale.”

Rather than following a conventional step-by-step attack path, this AI-assisted intrusion unfolded across multiple fronts simultaneously. As new opportunities were identified, the threat actor appeared to execute numerous standard post-compromise techniques in parallel, compressing what would typically take minutes or hours into seconds. For example, in one observed second, the threat actor leveraged four different access keys belonging to four separate accounts, all from the same source IP address and user agent. This activity is consistent with automated, centrally orchestrated, and potentially AI-agent-driven execution.

Additionally, each newly acquired access key was rapidly leveraged to enumerate associated permissions and accessible resources, allowing the threat actor to efficiently identify the highest-value opportunities for lateral movement and data access. Within the data layer, the investigation revealed several hundred unique SQL queries executed across dozens of databases, rapidly enumerating schemas and identifying relevant data. Similar behavior was observed in the application layer, where the threat actor mapped relationships between SQS queues, vulnerable workers, payload injection points, and deployment-related files used to manage clusters. Together, these behaviors demonstrate rapid, environment-specific adaptation consistent with AI-assisted or centrally orchestrated activity capable of processing context and tailoring actions at a speed that exceeds what would typically be expected from a human operator.

This attack underscores how AI can amplify the impact of existing security caps, exposing shortcomings in enterprise readiness, visibility, and operational maturity. These findings reinforce Sygnia’s CISO Survey 2026, which found that 73% of 600 surveyed senior IT security decision-makers do not believe their organizations would be fully prepared to respond to a serious cyberattack if one occurred tomorrow.

To learn more about the initial findings, read Sygnia’s full threat report. Then join lead investigators Eldar Goren and Sergey Kozyrev for our upcoming webinar, Inside an AI-Assisted Cloud Attack: Familiar Techniques at Unfamiliar Speed, on July 15th at 10 am ET, where they’ll break down the investigation, explain how AI accelerated the attack lifecycle, and discuss what security teams can do to prepare for this emerging threat.

About Sygnia

Sygnia is the world’s foremost incident response and cyber readiness team. It applies creative approaches and bold solutions to each phase of an organization’s security journey, meeting them where they are to ensure cyber resilience. Sygnia is the trusted advisor and service provider of leading organizations worldwide, including Fortune 100 companies. Sygnia is a Temasek company, part of the ISTARI Collective.

Fonte: Business Wire

If you liked this article and want to stay up to date with news from InnovationOpenLab.com subscribe to ours Free newsletter.

Related news

Last News

RSA at Cybertech Europe 2024

Alaa Abdul Nabi, Vice President, Sales International at RSA presents the innovations the vendor brings to Cybertech as part of a passwordless vision for…

Italian Security Awards 2024: G11 Media honours the best of Italian cybersecurity

G11 Media's SecurityOpenLab magazine rewards excellence in cybersecurity: the best vendors based on user votes

How Austria is making its AI ecosystem grow

Always keeping an European perspective, Austria has developed a thriving AI ecosystem that now can attract talents and companies from other countries

Sparkle and Telsy test Quantum Key Distribution in practice

Successfully completing a Proof of Concept implementation in Athens, the two Italian companies prove that QKD can be easily implemented also in pre-existing…

Most read

Kioxia Commences Sample Shipments of 10th-Generation BiCS FLASH™ Devices…

Kioxia Corporation, a world leader in memory solutions, today announced that it has commenced sample shipments of 1Tb (terabit) Triple-Level-Cell (TLC)…

Together AI Raises $800 Million at $8.3 Billion Valuation to Make Frontier…

Together AI, the company making it dramatically cheaper and easier to run open source AI models at scale, today announced an $800 million Series C financing…

Second Front and Cohere Successfully Deploy Sovereign AI Infrastructure…

#ai--Second Front Systems (2F) and Cohere today announced the successful deployment of Cohere North in a live edge environment in the United Arab Emirates…

Circus Completes Acquisition of Belgian Food Robotics Company Alberts

Circus SE (WKN: A2YN35 / ISIN: DE000A2YN355 / XETRA: CA1) announces the completion of the full acquisition of Belgian food robotics company Alberts, as…

Newsletter signup

Join our mailing list to get weekly updates delivered to your inbox.

Sign me up!