Ongoing Extortion Campaign Compromises Data of 165 Customers in Snowflake Breach

165 customers, Breach, Data, exposes, extortion campaign, ongoing, Snowflake

Title: Snowflake Data Breach Exposes 165 Customers: Insights and Implications


Data breaches continue to be a major concern for businesses across various industries. Recently, Snowflake, a leading cloud data warehousing platform, suffered a significant data breach that impacted as many as 165 customers. As a financially motivated threat actor, known as UNC5537, targeted Snowflake through a campaign involving data theft and extortion. This breach provides valuable insights into the evolving tactics employed by hackers and emphasizes the need for robust cybersecurity measures. This article will delve into the details of the Snowflake data breach, explore the implications of the attack, and emphasize the importance of implementing advanced security controls to safeguard sensitive information.

Snowflake Data Breach Overview:

The hacking group, UNC5537, has gained unauthorized access to Snowflake customer instances by utilizing stolen credentials purchased from cybercrime forums. Additionally, they have utilized information-stealing malware, such as Lumma, MetaStealer, Raccoon, RedLine, RisePro, and Vidar, to compromise various customer systems. The campaign, which began on April 14, 2024, has successfully targeted hundreds of organizations worldwide, exposing the vulnerabilities of data stored on cloud platforms.

Scope of the Data Breach:

Until recently, Snowflake had only mentioned a “limited number” of impacted customers, but the disclosed number of affected customers has now reached 165. This increase in the scope of the breach underscores the significance of the attack and highlights the need for organizations to remain vigilant in safeguarding their data. Snowflake, with more than 9,820 customers globally, must take immediate action to address the breach comprehensively.

Insights into UNC5537’s Tactics:

To infiltrate customer instances, UNC5537 employs a reconnaissance utility called FROSTBITE (also known as “rapeflake”). This utility allows the hackers to run SQL queries and extract valuable information such as user details, current roles, IP addresses, session IDs, and organization names. Compounding the issue, UNC5537 utilizes legitimate utilities like DBeaver Ultimate to connect and run SQL queries across Snowflake instances, further complicating the detection process. The exfiltration of data is the final stage of the attack, emphasizing the need for organizations to protect their sensitive information.

Collaboration and Geographical Distribution:

Mandiant, the threat intelligence firm assisting Snowflake in its incident response efforts, has identified UNC5537 as a financially motivated threat actor. While evidence suggests that the hacking group is primarily based in North America, it is believed to collaborate with another party located in Turkey. This collaboration highlights the complex nature of cybercrimes and underscores the need for international cooperation in combating such threats.

Implications and Rise of Information Stealers:

The success of the Snowflake data breach can be attributed to various factors. Firstly, the lack of multi-factor authentication (MFA) among affected customers allowed UNC5537 to exploit their compromised credentials. Businesses must recognize the critical role that MFA plays in preventing unauthorized access to sensitive data. Secondly, the failure to regularly rotate credentials increases the risk of account compromise, as demonstrated by the earliest infostealer infection observed dating back to November 2020. Lastly, the absence of location-based access controls permits hackers to operate from anywhere, making it difficult to trace their activities.

The Snowflake data breach exemplifies the demand for information stealers in the cybercriminal marketplace. The emergence of new variants like AsukaStealer, Cuckoo, Iluria, k1w1, SamsStealer, and Seidr indicates the continuous evolution of attack techniques used to steal sensitive information. Collaboration among threat actors is prevalent and further intensifies the risks faced by organizations globally.

Protective Measures and Advanced Security Controls:

In response to the data breach, Snowflake is working closely with its customers to enhance their security measures. The company plans to implement advanced security controls, such as multi-factor authentication (MFA) and network policies, to prevent unauthorized access to customer instances. It is imperative for organizations to proactively adopt such measures to mitigate the risks associated with data breaches.


The Snowflake data breach serves as a wake-up call to organizations worldwide, highlighting the persistent threat posed by cybercriminals. The tactics employed by UNC5537 and the extent of the breach underscore the urgent need for tightened cybersecurity measures, including multi-factor authentication (MFA), regular credential rotation, and location-based access controls. Information stealers continue to pose significant risks to businesses, emphasizing the importance of staying updated on emerging threats and collaborating with cybersecurity experts to safeguard sensitive data. By learning from incidents like the Snowflake data breach, organizations can better protect themselves against future cyber threats.

Source link

Leave a Comment