Security breach in Snowflake exposes data of 165 customers in extortion campaign

Snowflake, the leading cloud data storage platform, has confirmed that data from up to 165 of its customers has potentially been exposed in an ongoing extortion campaign. This revelation indicates that the operation has broader implications than previously reported.

The security company Mandiant, owned by Google, is assisting Snowflake in its incident response efforts. Mandiant has identified the as-yet-unclassified threat actor group under the name UNC5537, describing it as a financially motivated threat actor.

UNC5537 has been systematically compromising Snowflake customers’ instances using stolen credentials. The victims’ data has been advertised for sale in cybercrime forums, and many victims have been subjected to extortion attempts. This group has targeted hundreds of organizations worldwide and operates under various aliases on Telegram channels and cybercrime forums.

Members of the group are suspected to be based in North America and collaborate with at least one additional party located in Turkey.

This is the first time the number of affected customers has been officially disclosed. Previously, Snowflake had indicated that a “limited number” of its customers were impacted by the incident. The company has over 9,820 customers worldwide.

The campaign, as previously detailed, stems from compromised customer credentials acquired in cybercrime forums or obtained through information-stealing malware such as Lumma, MetaStealer, Raccoon, RedLine, RisePro, and Vidar. The campaign is believed to have started on April 14, 2024.

In several instances, information-stealing malware infections have been detected on contractors’ systems that were also used for personal activities such as gaming and downloading pirated software.

Unauthorized access to customer instances has allowed for the use of a reconnaissance tool called FROSTBITE (also known as “rapeflake”), used to run SQL queries and retrieve information about users, current roles, IP addresses, session IDs, and organization names.

Mandiant noted that it has not been able to obtain a full sample of FROSTBITE and highlighted the use of a legitimate utility called DBeaver Ultimate to connect and run SQL queries on Snowflake instances. The final stage of the attack involves executing commands to prepare and exfiltrate data.

In an updated notice, Snowflake has reported that it is working closely with its customers to strengthen their security measures and is developing a plan to implement advanced security controls such as multi-factor authentication (MFA) and network policies.

The attacks have been successful due to three main reasons: the lack of MFA, the failure to rotate credentials periodically, and the absence of controls to ensure access only from trusted locations.

“The earliest observed date of information-stealing malware infection associated with a credential used by the threat actor dates back to November 2020,” said Mandiant, adding that “hundreds of Snowflake customer credentials exposed through information-stealing malware since 2020 have been identified.”

This campaign highlights the consequences of the large number of credentials circulating in the information-stealing malware market and may represent a specific focus of threat actors on similar SaaS platforms.

For more information, visit The Hacker News, Google, and Snowflake.

Scroll to Top