Cloud environments are being compromised by APT29 not only through previously breached access service account credentials but also via old employee accounts that were not disconnected by organizations.
Article Link: New APT29 attacks set sights on cloud services | SC Media