Cybercriminals Extort Millions from Snowflake Inc. Customers
In a significant cybersecurity breach, cybercriminals are demanding payments ranging from $300,000 to $5 million each from up to 10 companies compromised in an attack targeting Snowflake Inc. customers. A security firm involved in the inquiry revealed these details.
A New Stage of Cybercrime
The hacking scheme has evolved as the cybercriminals attempt to monetize the stolen data, according to Austin Larsen, a senior threat analyst at Google’s Mandiant security business. The attackers are leveraging illegal online forums to auction the stolen information, hoping to coerce companies into paying ransoms. “We anticipate the actor to continue to attempt to extort victims,” Larsen stated.
Method of the Attack
Snowflake, a cloud-based data analytics company, reported on June 2 that hackers had launched a “targeted” attack against its users employing single-factor authentication methods. The hacking group managed to use stolen login details to infiltrate the accounts of up to 165 Snowflake customers, subsequently stealing data from them. It is estimated that approximately five to ten of these customers are currently facing extortion attempts.
The Attackers
Mandiant has attributed this attack to a group known as “UNC5537,” with members operating out of the US and Turkey. Threatening some cybersecurity experts investigating the breach, the group has gone as far as making death threats and using AI to create fake nude photos of a researcher for harassment purposes.
Possible Collaborations
Mandiant is also exploring the possibility that a UNC5537 hacker collaborated with a separate cybercriminal group known as “Scattered Spider” on at least one intrusion within the last six months. However, the exact nature of this potential relationship remains unclear. The name “Scattered Spider” was coined by cybersecurity vendor CrowdStrike Holdings Inc., and the group operates as a loose community of cybercriminals.
The stolen data is being offered at prices exceeding typical black-market rates, speculated to be a tactic to pressure affected firms into paying the ransom, according to Larsen.
Continuing Investigation
Snowflake has indicated plans to conclude its internal investigation into the hacking campaign, noting that it has not detected any unauthorized access to its customers’ servers in recent days. However, some clients have reported incidents that may be connected to the breach. Ticketmaster owner Live Nation Entertainment Inc. identified “unauthorized access” in a third-party cloud database hosted on Snowflake, while Pure Storage Inc. acknowledged a breach of a Snowflake workspace. Advanced Auto Parts is also investigating potential Snowflake-related issues.
In response to the situation, Mandiant plans to release new guidance to assist companies in investigating data theft linked to this hacking campaign. The new guidance is expected to be available on Monday, according to a draft of the report reviewed by Bloomberg.