Storm-0501 shows why hybrid-cloud NHI governance is failing

At a glance

What this is: Storm-0501’s hybrid-cloud campaign shows how weak credentials and over-privileged non-human identities can enable lateral movement from on-premises systems into cloud platforms.

Why it matters: It matters because IAM, PAM, and NHI programmes need to govern machine identities as cross-environment attack paths, not as isolated credentials or config records.

By the numbers:

• NHIs now outnumber human identities on average by a factor to 20, according to recent research by ESG.

👉 Read Oasis Security's analysis of Storm-0501 and hybrid-cloud NHI risk

Context

Storm-0501 is a real example of how a hybrid-cloud environment turns non-human identities into movement paths rather than simple access records. The article describes the group exploiting weak credentials and over-privileged accounts to move from on-premises systems into cloud platforms, which is a classic NHI governance failure in distributed infrastructure.

The governance gap is familiar: machine identities are spread across service accounts, tokens, and cloud-connected workloads, but ownership and lifecycle control are often fragmented. When those identities are stale, over-scoped, or invisible to the programme, attackers can reuse them to cross trust boundaries and persist inside the environment.

Key questions

Q: What breaks when hybrid-cloud service accounts are over-privileged?

A: Over-privileged hybrid-cloud service accounts let attackers reuse trusted access paths instead of escalating from scratch. That turns a compromised server into a bridge into cloud resources, expands blast radius, and makes lateral movement easier to hide. The risk is highest when sync, admin, and workload permissions are blended into one identity.

Q: Why do stale non-human identities increase lateral movement risk?

A: Stale non-human identities remain valid after the business or technical need has changed, so they become persistence points for attackers. In hybrid clouds, that is especially dangerous because the same identity can still authenticate across linked environments even when no one is actively watching it. Lifecycle failure becomes an attacker advantage.

Q: How do security teams know if machine identities are crossing trust boundaries safely?

A: Teams should verify whether each machine identity has a documented owner, a narrow scope, and a clear boundary for where it can authenticate and what it can change. If the identity can move from on-premises to cloud or influence directory state, it should be treated as a high-risk bridge account.

Q: Who is accountable when a service account is abused in a hybrid-cloud breach?

A: Accountability should sit with the team that owns the machine identity’s lifecycle and the platform it governs, not with incident responders after the fact. Hybrid-cloud abuse usually reflects shared failure across identity, infrastructure, and operations, so ownership must be explicit before compromise occurs.

Technical breakdown

Weak credentials as the initial access path

Storm-0501’s opening move was not novel tradecraft so much as predictable credential abuse. The article ties initial compromise to weak credentials on on-premises servers, then shows how those servers became stepping stones into cloud resources. In hybrid environments, the machine identity attached to a server or sync component can become the real target because it bridges two control planes. Once attackers obtain that identity, they inherit whatever trust was granted to the workload, not just the host. That is why service account governance and secret hygiene matter more than perimeter assumptions.

Practical implication: inventory every server-linked service account and remove any credential that can be reused outside its intended trust boundary.

Over-privileged service accounts enable cloud lateral movement

The article’s core technical pattern is lateral movement through over-privileged accounts, especially those tied to Microsoft Entra Connect Sync. That matters because these accounts sit at a privileged junction between on-premises identity infrastructure and cloud identity services. If they retain broad permissions, an attacker does not need to escalate in the usual sense. They only need to use the existing trust to impersonate, query, or modify objects that unlock cloud access. In NHI terms, the blast radius is determined by what the account can reach across both environments, not by where it was created.

Practical implication: reduce sync and bridge-account scope to the minimum required and separate their permissions from interactive admin workflows.

Stale accounts and persistent access points

Storm-0501 also highlights stale accounts, meaning identities that remain valid even after the system or relationship they were built for has changed. That creates persistence because the attacker does not need to re-compromise the environment once the account is in hand. The article notes that these identities can be used to create backdoors and prolong undetected access. In hybrid clouds, stale NHI ownership is especially dangerous because decommissioning is often split across platform teams, identity teams, and operations. The result is an access path that outlives the original business need.

Practical implication: tie offboarding for machine identities to asset retirement and role changes, not to periodic cleanup alone.

Threat narrative

Attacker objective: The objective was durable cross-environment access with enough privilege to move laterally, persist, and impersonate higher-value users inside the cloud estate.

1. Entry occurred through exploited vulnerabilities such as 0-days on on-premises servers, followed by access to the server-linked machine identities that bridged into cloud systems.
2. Credential access and abuse centred on stolen service accounts, including identities tied to Microsoft Entra Connect Sync, which let the attackers reuse trusted access paths.
3. Impact came from lateral movement into cloud platforms, persistent backdoors, and impersonation of high-privilege users that expanded the attackers’ reach across the hybrid environment.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Hybrid-cloud identity is now an attack path, not just an access layer. Storm-0501 shows that once machine identities bridge on-premises and cloud environments, they become route selectors for the attacker. Traditional IAM thinking often treats those identities as background plumbing, but the campaign demonstrates that they are operational trust channels. Practitioners need to treat every cross-environment service account as a governed movement path, not a static account record.

Stale machine identities create persistence that outlives business intent. The article’s reference to stale accounts points to a failure mode where an identity remains valid after the system, sync relationship, or administrative need has changed. That is not a mere hygiene issue. It is a lifecycle break that turns decommissioning lag into attacker dwell time. The practitioner conclusion is that machine identity offboarding must be aligned to infrastructure change, not calendar cleanup.

Over-privileged bridge accounts amplify the identity blast radius. Service accounts tied to sync or orchestration functions often sit at the most sensitive boundary in hybrid estates. When those accounts are broader than necessary, attackers can impersonate trust across both sides of the environment without needing separate escalation. This is where NHI governance and PAM intersect: the account that connects systems should not be the account that can reshape them.

Secret visibility alone is not enough to govern hybrid NHI risk. The article notes discovery, security, and governance gaps, but the deeper issue is that many programmes still observe credentials without understanding their cross-domain role. A token or service account can look ordinary in one platform and critical in another. The named concept here is hybrid identity blast radius, which is the total reachable impact of a machine identity across on-premises and cloud trust zones. Practitioners should govern for reach, not just existence.

OWASP NHI controls map cleanly to this breach pattern. The campaign aligns with the core OWASP-NHI problem set: exposed secrets, excessive privilege, weak lifecycle management, and missing ownership. That makes the breach useful as a reference point for NHI programmes that still frame machine identity as an inventory exercise. The practitioner takeaway is to measure how much trust each non-human identity can actually carry across environments, then reduce it before attackers do.

From our research:

• NHIs now outnumber human identities on average by a factor to 20, according to the 2026 Infrastructure Identity Survey.
• From our research: Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, and organisations failing to scope AI access properly are 4.5x more likely to experience a security incident.
• For a wider identity lens: Read the 52 NHI Breaches Analysis for recurring failure patterns across exposed secrets, privilege sprawl, and lifecycle gaps.

What this signals

Hybrid-cloud programmes should assume that every identity bridging on-premises and cloud boundaries is part of the attack surface, not a hidden admin convenience. The practical change is organisational, not just technical: identity teams, cloud teams, and infrastructure teams need a shared view of which machine identities can carry trust across zones.

Hybrid identity blast radius: the real governance variable is no longer whether a machine identity exists, but how far it can reach once compromised. That means privileged bridges, sync accounts, and stale service identities deserve the same review discipline as high-risk human admin roles.

With 70% of organisations granting AI systems more access than they would give a human employee performing the same job, per the 2026 Infrastructure Identity Survey, the broader lesson is that over-scoped non-human access is becoming normalised across identity programmes. Teams that do not reduce privilege now will inherit bigger blast radii later.

For practitioners

• Reconcile all bridge identities Inventory every non-human identity that connects on-premises systems to cloud platforms, including sync accounts, service accounts, and delegated tokens. Mark any identity that can cross trust boundaries as high-risk and assign named operational ownership before the next access review.
• Scope Entra Connect and similar sync accounts tightly Remove broad permissions from directory sync and integration accounts, and separate sync duties from administrative duties. If an account can alter cloud identity state, it should not also be able to reach unrelated workloads or perform interactive admin tasks.
• Retire stale accounts as part of system decommissioning Tie machine-identity offboarding to server retirement, application replacement, and relationship change. A stale account is an open persistence path, so confirm revocation when the underlying host, app, or sync relationship is no longer in use.
• Track cross-environment privilege as a blast-radius metric Measure the number of cloud and on-premises resources each non-human identity can reach, not just whether it exists. Use that reach score to prioritise remediation for the identities most likely to enable lateral movement.

Key takeaways

• Storm-0501 shows that hybrid-cloud compromise often starts with machine identities that bridge environments, not with human login abuse.
• The article’s evidence points to weak credentials, over-privileged service accounts, and stale identities as the three controls that most directly determine blast radius.
• Hybrid-cloud defenders should govern non-human identities as cross-domain movement paths, because lifecycle gaps and excessive trust create persistence.

Key terms

• Bridge Identity: A bridge identity is a non-human identity that connects two trust zones, such as on-premises infrastructure and a cloud platform. It often carries more power than a normal workload account because it can move data, state, or authentication across boundaries, making it a high-value governance target.
• Stale Account: A stale account is a machine identity that remains active after the original system, integration, or business need has changed. In hybrid environments, stale accounts can persist as hidden access paths because they are not tied to a person who offboards, so lifecycle ownership must be explicit.
• Identity Blast Radius: Identity blast radius is the total amount of systems, data, and trust a single identity can reach if it is abused. For non-human identities, the metric is not just privilege level but cross-environment reach, because a compromised bridge account can affect multiple platforms at once.

Deepen your knowledge

Hybrid-cloud NHI governance and bridge-account risk are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for service accounts that span on-premises and cloud platforms, it is worth exploring.

This post draws on content published by Oasis Security: Storm-0501 and the rising threat to non-human identities in hybrid clouds. Read the original.