Unexpected GCP API calls indicating Compute Engine GPU instance creation
Description
AlphaSOC detected creation of a GCP Compute Engine instance with GPU
accelerators via compute.instances.insert. GPU instances are commonly targeted
by attackers for cryptomining due to their high compute power. Adversaries who
compromise cloud credentials often create GPU instances to mine cryptocurrency
at the victim's expense, or to host unauthorized AI workloads.
Impact
Unauthorized GPU instance creation can result in significant unexpected cloud costs, as GPU instances are substantially more expensive than standard instances. Attackers may use these resources for cryptomining or running rogue AI models.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the compute.instances.insert action with
guestAccelerators configured. Identify the principal that created the instance
and verify if this aligns with legitimate machine learning or compute workflows.
If unauthorized, immediately terminate the GPU instance to stop ongoing costs. Investigate the compromised identity and rotate its credentials. Review billing alerts and set up budget notifications to detect similar activity.