What is the nature of the recent cyber campaign targeting Snowflake cloud storage systems?

The recent cyber campaign targeting Snowflake cloud storage systems involved exploiting stolen customer credentials obtained through infostealer malware. The campaign impacted approximately 165 organizations and was carried out by the financially motivated threat actor UNC5537.

How did the threat actor UNC5537 acquire the credentials used in the campaign?

UNC5537 acquired the credentials through historical infostealer infections, some dating back to 2020. These credentials were used to access Snowflake instances and exfiltrate data.

Were Snowflake's systems breached during the cyber campaign?

No, there is no evidence to suggest that Snowflake’s systems were breached. The unauthorized access was due to compromised customer credentials obtained through infostealer malware infections outside of Snowflake's enterprise environment.

What vulnerabilities did UNC5537 exploit in their campaign?

The campaign exploited the absence of multi-factor authentication (MFA) and network allow lists, which exacerbated the vulnerability of the targeted accounts.

What actions did UNC5537 take once they accessed the Snowflake instances?

UNC5537 executed SQL commands for reconnaissance, data staging, and exfiltration. They have also been observed selling the stolen data on cybercriminal forums and attempting to extort victim organizations.

What is known about the threat actor UNC5537?

UNC5537 is a financially motivated threat actor comprising individuals primarily based in North America, with at least one member in Turkey. They have ties to other known threat groups and have capitalized on the infostealer marketplace and security oversights.

What has Snowflake stated about the unauthorized access?

Snowflake has stated that there is no evidence of a direct breach of its platform. The unauthorized access was due to compromised customer credentials obtained through infostealer malware infections.

Knowledge

Snowflake attack research - data breaches are related to infostealer attacks and no MFA

published: June 10, 2024

Take action: Another lesson about the value of enforcing MFA and SSO with MFA. Everyone is too comfortable with passwords, and now passwords are even more dangerous with Infostealer malware being a very popular tool. Do not install programs from unknown sources or from emails. Don't trust even your own old USBs and CDs.

Learn More

Security researchers from Mandiant are reporting that approximately 165 organizations have been impacted by a large-scale cyber campaign targeting Snowflake cloud storage systems using stolen customer credentials.

The campaign, attributed to the financially motivated threat actor UNC5537, involves exploiting credentials obtained through infostealer malware. Per the report from Mandiant the malware infections apparently did not occur on Snowflake's systems and there is no evidence to suggest that the unauthorized access stemmed from a breach within Snowflake’s enterprise environment.

Cloud data analytics platform Snowflake announced that it will enforce multi-factor authentication following what might be one of the largest data breaches on record.

Mandiant's investigation reveals that the campaign leveraged historical infostealer infections, some dating as far back as 2020, to acquire the credentials. These credentials were then used to access Snowflake instances and exfiltrate data. The absence of multi-factor authentication (MFA) and network allow lists exacerbated the vulnerability of the targeted accounts. The campaign began on April 14, 2024.

The threat actor, UNC5537, executed SQL commands for reconnaissance and data staging and exfiltration.

UNC5537 has been observed selling the stolen data on cybercriminal forums and attempting to extort victim organizations. The group comprises individuals primarily based in North America, with at least one member in Turkey, and has ties to other known threat groups. Despite the significant impact, Mandiant notes that UNC5537's campaign did not employ particularly novel or sophisticated tools or techniques but capitalized on the infostealer marketplace and security oversights.

Snowflake has stated that there is no evidence of a direct breach of its platform and that the unauthorized access was due to compromised customer credentials.

Update - As of 16th of June 2024, hacker operation UNC5537 is starting data extortion against organizations impacted by the Snowflake breach, with up to 10 affected entities pressured to pay ransoms ranging from $300,000 to $5 million.

Snowflake attack research - data breaches are related to infostealer attacks and no MFA

Read More
State of (in)security - Week 1, 2024
State of (in)security - Week 19, 2024
State of (in)security - Week 7, 2025
State of (in)security - Week 18, 2024
State of (in)security - Week 49, 2025