Unexpected GCP API calls indicating VPC network deletion
Description
AlphaSOC detected deletion of a GCP VPC network. VPC network deletion is a destructive action that removes all associated resources including subnets, firewall rules, and routes. This can cause significant service disruption and may indicate malicious activity.
Impact
Deleting a VPC network immediately disconnects all resources in that network, causing service outages. All associated firewall rules, routes, and subnets are also deleted. This can be part of a destructive attack aimed at causing maximum business impact or covering tracks.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the v1.compute.networks.delete action. Identify the
deleted network and the principal responsible. Assess the impact on connected
resources.
If unauthorized, recreate the VPC network and associated resources from infrastructure as code or documentation. Review audit logs for other destructive actions that may indicate a broader attack. Rotate credentials for the compromised identity and implement organization policies to restrict network deletion.
Known False Positives
- Planned infrastructure decommissioning
- Migration to new network architectures
- Cleanup of test environments