Assuming screenshot is real[0], they have over 1PB in their Google Drive, so chances are everyone just uses Google Drive with shared drives, and employees use Drive for Desktop (previously drive file stream)[1]. Shared drives are pretty powerful and access to them can be gated at the same level as you can regular Drive files.
My theory is that some high-level IT person either got phished and didn't have hardware 2fa, or that high-level IT person downloaded malware / got RAT'd and the Google Drive scanning was done in the background on their machine. Depending on the hierarchy, it might not have even been a scan, could've been the attackers sating their curiosity by browsing through all their internal files and happening to find some PAM credentials.
Maybe just clicking around until they found something. That's what many employees do on a daily basis looking for files on network drives, so nothing that would be noticed easily.
Did their IDS/IPS not go off on this? I wonder if this was a sophisticated scan designed to go slow and evade detection or if it was just nmap lol
I can't wait for the post-mortem, hopefully lots of good lessons to learn.