GCP API calls indicating VPC route deletion
Description
AlphaSOC detected the deletion of a route from a Google Cloud VPC network. Route deletion may disrupt network connectivity or be part of cleanup activities to remove evidence of malicious network changes. Attackers may delete routes after completing data exfiltration to restore normal traffic patterns and avoid detection.
Impact
Route deletion can cause service disruption by breaking network connectivity between resources. It may also be used as part of anti-forensics activity to remove traces of unauthorized network modifications. In some cases, route deletion could isolate resources from monitoring or security controls.
Severity
| Severity | Condition |
|---|---|
Low | VPC route deletion by user for first time |
Investigation and Remediation
Identify the route that was deleted and understand its purpose in the network architecture. Verify the identity of the user who deleted the route and confirm the action was authorized. Check for service disruptions that may have resulted from the deletion. If unauthorized, investigate whether the route was previously created maliciously and is now being cleaned up.
Known False Positives
- Legitimate network infrastructure cleanup
- Decommissioning of deprecated network paths
- Migration activities involving route restructuring