Snowflake Breach Exposes 165 Clients’ Information in Ongoing Extortion Plot

AndyC 11 June 2024

June 11, 2024NewsroomData Theft / Cloud Security

Approximately 165 clientele of Snowflake may have had their details potentially uncovered as part of an ongoing scheme designed to enable data theft and extortion, indicating the operation has broa

Snowflake Breach Exposes 165 Customers' Data in Ongoing Extortion Campaign

June 11, 2024NewsroomData Theft / Cloud Security

Snowflake Breach Exposes 165 Customers' Data in Ongoing Extortion Campaign

Approximately 165 clientele of Snowflake may have had their details potentially uncovered as part of an ongoing scheme designed to enable data theft and extortion, indicating the operation has broader consequences than previously anticipated.

Mandiant, owned by Google, which is aiding the cloud data warehousing platform in its incident response endeavors, is monitoring the ongoing activity cluster under the name UNC5537, characterizing it as a financially driven threat actor.

“UNC5537 is methodically compromising Snowflake client instances using purloined client credentials, promoting victim data for sale on cybercrime forums, and trying to coerce many of the victims,” the threat intelligence firm stated on Monday.

“UNC5537 has aimed at hundreds of institutions worldwide, and often blackmails victims for financial gain. UNC5537 functions under various pseudonyms on Telegram channels and cybercrime forums.”

There is proof to suggest that the hacking syndicate consists of members based in North America. It is also suspected to collaborate with at least one additional group based in Turkey.

Cybersecurity

This marks the first instance where the number of impacted clients has been officially revealed. Snowflake had previously mentioned that a “restricted number” of its clientele were affected by the incident. The corporation has over 9,820 global clients.

The operation, as previously delineated by Snowflake, originates from compromised client credentials bought from cybercrime forums or acquired through information-stealing malware such as Lumma, MetaStealer, Raccoon, RedLine, RisePro, and Vidar. It is assumed to have commenced on April 14, 2024.

In several cases, the stealer malware infections have been observed on contractor systems that were also used for recreational activities, such as gaming and downloading pirated software, the latter of which has been a tried-and-tested channel for disseminating stealers.

Snowflake

The unauthorized entry to client instances has led to the development of a reconnaissance tool named FROSTBITE (often known as “rapeflake”) that is utilized to execute SQL queries and gather details about the users, current roles, present IPs, session IDs, and organization names.

Mandiant mentioned it has not obtained a full sample of FROSTBITE, with the company also highlighting the threat actor’s use of a legitimate tool called DBeaver Ultimate to link and execute SQL queries across Snowflake instances. The ultimate phase of the attack comprises the antagonist executing commands to prepare and extract data.

Snowflake, in an updated notice, mentioned that it is collaborating closely with its users to strengthen their security measures. It also said that it is devising a strategy to necessitate them to implement advanced security controls, such as multi-factor authentication (MFA) or network policies.

The assaults, Mandiant remarked, have achieved significant success due to three primary reasons: the absence of multi-factor authentication (MFA), infrequent rotation of credentials, and the lack of checks to guarantee access solely from trusted locations.

Cybersecurity

“The earliest infostealer infection date observed associated withAccording to Mandiant, a credential utilized by the malicious actor traces back to November 2020,” as Mandiant stated, additionally revealing that “it pinpointed hundreds of customer Snowflake credentials exposed through infostealers since 2020.”

“This operation underlines the repercussions of an extensive volume of credentials circulating within the infostealer market and could potentially mirror a specific interest from threat actors towards comparable SaaS platforms.”

The discoveries serve to emphasize the growing market demand for data thieves and the widespread danger they present to entities, leading to the continual emergence of fresh stealer variations like AsukaStealer, Cuckoo, Iluria, k1w1, SamsStealer, and Seidr that are made available for acquisition by other illegal players.

“During February, Sultan, the persona linked to Vidar malware, posted an image showcasing the Lumma and Raccoon stealers standing united against antivirus solutions,” as outlined in a recent analysis by Cyfirma. “This points towards collaboration among malicious actors, as they unite and exchange resources to attain their objectives.”

Discovered this article intriguing? Keep track of us on Twitter and LinkedIn to explore more exclusive content that we share.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025

You may have missed

Surge of OAuth Device Code Phishing Attacks Targets M365 Accounts

Russia was behind a destructive cyber attack on a water utility in 2024, Denmark says

AndyC 20 December 2025
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025

Microsoft 365 accounts targeted in wave of OAuth phishing attacks

AndyC 20 December 2025
State-linked and criminal hackers use device code phishing against M365 users

State-linked and criminal hackers use device code phishing against M365 users

AndyC 20 December 2025
Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.