SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India
Google warns public sector on 22-second cyber hand-off

Google warns public sector on 22-second cyber hand-off

Tue, 14th Jul 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

Google has published a report on cyber threats facing public sector organisations, drawing on more than 500,000 hours of Mandiant incident investigations in 2025.

The report identifies the sharpest shift as the speed at which attacks now move from initial access to ransomware deployment. It puts the median hand-off time between an initial access broker and a ransomware operator at 22 seconds, leaving little room for manual triage by security teams.

It also warns that government agencies are no longer defending a fixed network edge. Instead, they increasingly rely on interconnected trust relationships, including user identities, service accounts, cloud tools, and administrative systems, which attackers are exploiting to gain and maintain access.

Attack patterns

Among the main trends is what the report calls a persistence paradox. State-backed espionage groups are maintaining access for years in some cases, with some intrusions going undetected for more than five years.

That creates a direct problem for agencies that retain telemetry for only 90 days, as investigators may lack the records needed to understand the full scope of a compromise. In practice, long-running intrusions can outlast the period in which many organisations keep the evidence needed to trace them.

Another concern is attackers' move into the virtualisation layer. Threat actors are targeting virtualisation management planes and using techniques such as snapshot mounting to copy data from domain controllers without relying on access inside a guest operating system.

By operating at that layer, attackers can evade some tools installed within individual machines. That increases pressure on public sector technology teams to monitor infrastructure components not always treated as frontline security assets.

The report also highlights growing risks tied to software-as-a-service integrations, particularly in state and local government. Compromises involving non-human identities such as service accounts and OAuth tokens can spread beyond a single application and affect wider agency systems through linked cloud services.

This so-called SaaS domino effect reflects how heavily many agencies rely on third-party cloud applications to deliver services. A single compromised identity or token can become the starting point for broader access across multiple systems.

Human trust

Voice phishing has also become more prominent. The report says vishing accounted for 11% of global infections and has proved particularly effective when aimed at help desks and IT administrators who can reset passwords or enrol devices.

That focus on trusted staff underscores a wider point: the human element remains central even as attacks become more automated. Administrative trust, not just software flaws, is increasingly being used as an entry point.

Google argues that these changes require public sector bodies to move towards continuous verification, with access and system trust checked repeatedly rather than assumed. It says resilience should be measured not only by whether a breach is prevented, but also by whether an agency can continue operating while under attack.

To support that approach, Google points to several products in its security portfolio. These include Chrome Enterprise Premium for context-aware access controls, Google Security Operations for large-scale telemetry analysis and alert management, and Security Command Centre for visibility into cloud and virtualisation environments.

Google Security Operations also now includes three AI-based autonomous agents announced at Cloud Next '26: a Threat Hunting agent, a Detection Engineering agent, and a Third-Party Context agent. The tools are intended to help analysts find hidden attack patterns, identify gaps in telemetry coverage, and add external context to investigations.

In infrastructure security, Google also pointed to its partnership with Wiz as part of a push for greater visibility into cloud configurations and hypervisors. The report argues that agencies need stronger oversight of those layers to detect unauthorised snapshot mounting and configuration drift used by attackers to maintain access.

Public sector use

Google cited two public sector users as examples of how its tools are being deployed. The Pasco Sheriff's Office used Google Security Operations to combine security tools and operational workflows, while the State of Connecticut used the platform to reduce forensic investigation times from months to hours, according to Google.

The report places those examples within a broader shift in government security operations away from manual investigation and towards automated analysis. With attacks now measured in seconds rather than hours, it argues that agencies need faster detection, broader log retention, and closer scrutiny of identity and infrastructure controls.

"The most alarming trend in this year's M-Trends data is the 22-second hand-off: the median time between an initial access broker establishing a foothold and the hand-off to a ransomware operator," Google said.