Cybercriminal group UNC5537, responsible for the recent security breach that exposed data from Snowflake client companies, has a history of using stolen customer credentials to steal data and extort victims. In late May, Snowflake announced that they were investigating a threat campaign targeting some of its clients’ accounts in collaboration with cybersecurity experts CrowdStrike and Mandiant. The company reported that a limited number of accounts had been compromised, with no evidence of platform vulnerabilities or personnel password compromises.
It was determined that the cybercriminals targeted users without multi-factor authentication and likely used credentials obtained from previous ransomware attacks. Over 500 login credentials belonging to Snowflake customers, including Ticketmaster and Banco Santander, were leaked online. Mandiant identified the threat campaign as UNC5537, consisting of cybercriminals from North America and Turkey, with financial motivations to steal and extort data from victims by threatening to publish it if not paid.
Mandiant identified around 165 Snowflake customers potentially affected by the campaign, attributing the unauthorized access to compromised customer credentials obtained from previous ransomware attacks. The campaign was not attributed to any novel or sophisticated techniques but rather to the growing market for information theft. Mandiant first detected unauthorized access in April and informed Snowflake in May, prompting the company to notify potential victims through their Victim Notification Program and develop plans for advanced security controls for customers.
Snowflake is working closely with clients to mitigate cyber threats and ensure the implementation of advanced security controls to protect against future attacks. They continue to investigate the incident and collaborate with cybersecurity experts to enhance their security measures and protect customer data. This incident highlights the importance of implementing multi-factor authentication and keeping customer credentials secure in order to prevent such attacks from happening again in the future.
