Jakub Jirsák - stock.adobe.com

More than 160 Snowflake customers hit in targeted data theft spree

Mandiant reports that more than 160 Snowflake customers have been hit in a broad data theft and extortion campaign targeting organisations that have failed to pay proper attention to securing valuable credentials

Mandiant has warned Snowflake customers to step up their game when it comes to basic credential hygiene, after revealing evidence that more than 160 customers – including Santander and Ticketmaster – have been compromised in a targeted campaign by a financially motivated threat actor it tracks as UNC5537.

Mandiant said UNC5537 was systematically compromising Snowflake customer instances using stolen credentials, offering purloined data for sale on dark web forums, and attempting to extort many of the victims.

Vindicating Snowflake – which has previously said it was unable to identify any compromise of its own enterprise environment – Mandiant said that in every instance it tracked, the compromise was the result of poor cyber security hygiene at the victimised customer.

“Since at least April 2024, UNC5537 has leveraged stolen credentials to access over 100 Snowflake customer tenants. The threat actor systematically compromised customer tenants, downloaded data, extorted victims, and advertised victim data for sale on cyber criminal forums,” said Mandiant Consulting CTO Charles Carmakal.

“The combination of multiple factors contributed to the targeted threat campaign including Snowflake customer accounts configured without MFA, credentials stolen by infostealer malware – often from personal computers – and the tenants configured without network allow lists. It’s critical that organisations assess their exposure to stolen credentials by infostealers, as we anticipate this threat actor and others will replicate this campaign across other SaaS solutions.”

Mandiant said that the infostealers used to snaffle the victims’ credentials were distributed in various malware campaigns, some of them dating as far back as 2020. Some of the malwares used included Vidar, Risepro, Redline, Racoon Stealer, Lumma and Metast.

It also noted that the impacted accounts did not have multifactor authentication enabled – making it trivial for threat actors to log on, and in many cases, the credentials identified dated back years, and had not been rotated or updated since being compromised. Nor had the affected customers put network allow lists in place to only enable access from trusted locations.

Concerningly, in many cases, the infostealers were determined to have arrived on third-party contractor computer systems that were also being used in a personal capacity, including for gaming and downloads of pirated software or content.

Mandiant warned organisations to be stricter with contractors’ hygiene, as many use personal or unmonitored PCs to access the systems of multiple clients, often with elevated, administrator privileges, further facilitating UNC5537’s campaign.

Who are UNC5537?

UNC5537 has only been formally identified and tracked by Mandiant in the past few weeks – so only shows up in Mandiant’s taxonomy for now.

A financially motivated threat actor with no apparent alignment with any nation state, UNC5537 has targeted hundreds of organisations worldwide. Its members are almost all based in North America, with one known collaborator tracked to Turkey, and they may have associations with other groups.

They operate under a number of aliases, coordinating via Telegram channels and cyber crime forums, and primarily access their victim instances using Mullvad or Private Internet Access (PIA) virtual private network (VPN) IP addresses. The stolen data travelled over virtual private servers (VPS) from Moldova-based Alexhost, and has been stored on the systems of several other VPS providers, and cloud-storage provider Mega.

Mandiant said UNC5537’s campaign was not particularly novel or sophisticated, and the fact that it has had such a broad impact is more accurately a consequence of the growing use of infostealers, combined with missed opportunities by victims to secure themselves.

Read more about the Snowflake campaign

  • Significant data breaches at Ticketmaster and Santander appear to have been orchestrated through careful targeting of the victims’ Snowflake cloud data management accounts.
  • This podcast episode discusses the recent attacks against Snowflake customers and a controversial report that claimed the cloud storage and analytics giant had been breached.

Next Steps

Risk & Repeat: Sorting out Snowflake's security mess

Read more on Data breach incident management and recovery