Snowflake Customers Hit With ‘Significant’ Data Theft In Attacks: Mandiant

A cybercriminal group is suspected to have stolen data from 165 organizations, Mandiant says.

Details disclosed by Mandiant researchers Monday suggest the attacks targeting Snowflake customers had a wider impact than previously suggested, with a “significant” volume of data stolen and more than 100 customers known to be potentially impacted so far.

A cybercriminal group is “suspected to have stolen a significant volume of records from Snowflake customer environments,” researchers at Mandiant, a major incident response firm owned by Google Cloud, said in a post.

[Related: Snowflake Planning Switch To Default MFA Amid Attacks: Report]

Overall, Snowflake and Mandiant “have notified approximately 165 potentially exposed organizations” to date, the Mandiant researchers said in the post.

The wave of data theft attacks targeting Snowflake customers are believed to be utilizing stolen passwords. Customers reportedly impacted have included Ticketmaster, Santander Bank and Advance Auto Parts.

“The impacted accounts were not configured with multifactor authentication enabled, meaning successful authentication only required a valid username and password,” Mandiant researchers confirmed in the post Monday.

Mandiant researchers noted that their investigation hasn’t found evidence indicating that Snowflake's environment had been breached, confirming what Snowflake has said previously. “Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials,” the researchers said.

Mandiant attributed the attacks to a previously unknown, “financially motivated threat actor” it is now tracking as UNC5537.

“UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims,” researchers said in the post.

The stolen credentials were “primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems,” Mandiant researchers said.

The attacks began at least as far back as mid-April, Mandiant said. Then on May 22, “upon obtaining additional intelligence identifying a broader campaign targeting additional Snowflake customer instances, Mandiant immediately contacted Snowflake and began notifying potential victims through our Victim Notification Program.”

In response to a request for comment Monday, a Snowflake spokesperson directed CRN to an updated statement on its advisory page, which links to the Mandiant blog.

“We continue to work closely with our customers as they harden their security measures to reduce cyber threats to their businesses, and we are developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies,” the company said in the statement.

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned about the recent threat actor campaign targeting users of Snowflake and urged customers to proactively look for malicious activity.