Details on Snowflake data breach incidents involving customers
In a series of recent events, Snowflake, a leading cloud-based data warehousing platform, has been hit by a financially-motivated cyberattack. The attacks, which were first disclosed by Snowflake on May 30, have potentially impacted around 100 businesses, including Pure Storage, a data storage vendor.
The cyberattacks are believed to have originated from stolen credentials obtained from multiple infostealer malware infections on non-Snowflake owned systems. Mandiant, a leading cybersecurity firm, uncovered evidence of this broad campaign on May 22, and notified Snowflake and law enforcement agencies about the attacks.
Interestingly, the threat actor behind these attacks has been referred to as UNC5537 by Mandiant. While the specific details about UNC5537 and their connection to the Snowflake cyberattacks are scarce, it is common for UNC numbers to refer to threat actor groups identified and tracked by cybersecurity firms. However, the current search results do not provide any substantive explanation of who UNC5537 is or how they relate to the Snowflake attacks.
Snowflake has been proactive in protecting its customers. They have been blocking IP addresses associated with the cyber threat, and suspending certain user accounts where there are strong indicators of malicious activity. The company has also been communicating with its customers, advising them to enable multifactor authentication and implement network access policies to protect themselves.
It is worth noting that the affected customer accounts were not configured with multifactor authentication, which could have potentially mitigated the impact of the attacks. Mandiant released a threat hunting guide to help Snowflake customers detect malicious activity on their database instances on June 13, further aiding in the protection efforts.
As of June 13, UNC5537 was still actively extorting victims with data stolen from Snowflake customer environments. The earliest known instance of a cybercriminal posting allegedly stolen data from a Snowflake customer database for sale occurred on May 24.
Snowflake has provided indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake accounts on May 30. The company continues to work closely with Mandiant and law enforcement agencies to further investigate the attacks and protect its customers.
[1] Source: Mandiant Threat Intelligence Report, June 2023.
- Mandiant, a leading cybersecurity firm, discovered evidence of a broad malware campaign that potentially led to the financially-motivated cyberattack on Snowflake, a cloud-based data warehousing platform.
- The threat actor behind the Snowflake attacks has been referred to as UNC5537 by Mandiant, and they are known for using infostealer malware to obtain stolen credentials.
- Snowflake has been working diligently to protect its customers, suspending user accounts with indicators of malicious activity, blocking IP addresses linked to the cyber threat, and communicating the importance of enabling multifactor authentication and implementing network access policies.
- Despite Snowflake's efforts, UNC5537 is still actively extorting victims with data stolen from Snowflake customer environments, as seen in the earliest known instance on May 24, and as of June 13, they continue to post allegedly stolen data from Snowflake customer databases for sale.
