Unexpected GCP API calls indicating VPC route deletion
Description
AlphaSOC detected the deletion of a route from a Google Cloud VPC network via
v1.compute.routes.delete. Route deletion may disrupt network connectivity or
be part of cleanup activities to remove evidence of malicious network changes.
Attackers may delete routes after completing data exfiltration to restore normal
traffic patterns and avoid detection.
Impact
Route deletion can cause service disruption by breaking network connectivity between resources. It may also be used as part of anti-forensics activity to remove traces of unauthorized network modifications. In some cases, route deletion could isolate resources from monitoring or security controls.
Severity
| Severity | Condition |
|---|---|
Informational | GCP API calls indicating VPC route deletion |
Low | Unexpected GCP API calls indicating VPC route deletion |
Medium | Suspicious GCP API calls indicating VPC route deletion |
Investigation and Remediation
Identify the route that was deleted and understand its purpose in the network architecture. Verify the identity of the user who deleted the route and confirm the action was authorized. Check for service disruptions that may have resulted from the deletion. If unauthorized, investigate whether the route was previously created maliciously and is now being cleaned up.
Known False Positives
- Legitimate network infrastructure cleanup
- Decommissioning of deprecated network paths
- Migration activities involving route restructuring