Threat Actor Breaches Snowflake Customers, Victims Extorted

A cyber threat actor is suspected to have stolen a significant volume of customer data from data warehousing platform Snowflake, Mandiant has warned. 

The financially motivated threat actor, named UNC5537, is advertising the stolen data for sale on cybercrime forums, and is attempting to extort many of the victims.

To date, 165 organizations using Snowflake have been notified they have potentially been exposed.

Snowflake is a multi-cloud data warehousing platform that allows customers to store and analyze large amounts of structured and unstructured data.

Mandiant researchers said that UNC5537 is “systematically” compromising Snowflake customer instances using stolen customer credentials.

Every incident Mandiant has responded to associated with this campaign has been traced back to compromised customer credentials, which were primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems.

There is no evidence that the incidents were caused by a breach of Snowflake’s enterprise environment.

How Snowflake Customer Data Was Compromised

Mandiant analyzed database records that were subsequently determined to have originated from a victim’s Snowflake instance in April 2024.

The organization’s Snowflake platform had been compromised by a threat actor using stolen credentials, enabling them to exfiltrate valuable data, an investigation by Mandiant revealed.

After obtaining additional intelligence identifying a broader campaign targeting customers’ Snowflake platform, Mandiant contacted the data warehousing platform with their findings in May 2024.

This reporting led to a Victim Notification Program to notify potential victims and helping them secure their accounts and data.

A joint investigation by Mandiant and Snowflake found that the majority of the credentials used by UNC5537 were available from historical infostealer infections dating back as far as 2020.

The infostealer malware variants included VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER.

At least 79.7% of the accounts leveraged by the threat actor had prior credential exposure, Mandiant and Snowflake’s analysis found.

UNC5537 was also assessed to have conducted reconnaissance against target Snowflake platforms. The threat actor used a tool named FROSTBOTE to perform SQL recon activities, including listing users, current roles, current IPs, session IDs and organization names.

Once customer accounts were compromised, UNC5537 repeatedly executed similar SQL commands across numerous customer Snowflake instances to stage and exfiltrate data.

Mandiant wrote: “The threat actor has subsequently begun to extort many of the victims directly and is actively attempting to sell the stolen customer data on recognized cybercriminal forums.”

UNC5537 has been identified as a distinct cluster since May 2024, with Mandiant assessing with moderate confidence that members are based in North America. The threat actor has been observed targeting hundreds of organizations worldwide, and frequently extorts victims for financial gain.

Lack of MFA Allowed Attackers to Succeed

Mandiant researchers identified three primary factors that enabled the attackers to successfully compromise impacted Snowflake customer instances, revolving around basic security protocols not being followed:

  1. Multi-factor authentication (MFA) was not enabled, meaning successful authentication only required a valid username and password
  2. Credentials stolen from past infostealer infections had not been rotated or updated
  3. The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations

Mandiant advised organizations to conduct urgent credential monitoring and the universal enforcement of MFA and secure authentication to mitigate similar campaigns in the future.

Image credit: Poetra.RH /

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button