Mandiant is currently assisting Snowflake in responding to a data theft incident [2], known as UNC5537 [1] [4], which has affected 165 of Snowflake’s customers globally.


The cyber threat actor behind the attack, UNC5537 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13], targeted Snowflake environments by stealing login credentials from customers rather than exploiting platform security flaws [7]. The attackers used stolen credentials from infostealer malware campaigns to compromise customer instances, deploying a reconnaissance utility called FROSTBITE to gather information and run SQL queries [2]. Initial compromises occurred on contractor systems [2], highlighting the risk posed by third-party partners in expanding an organization’s attack surface [2]. Most compromised accounts had prior credential exposure due to failure to refresh login credentials [7], enable multifactor authentication [1] [3] [7] [8] [9] [10] [12], and implement network allow lists [7]. Snowflake is currently working on a plan to ensure customers enable multifactor authentication and has released technical guidance on protecting deployments against hacking attempts [7]. Snowflake customers [2] [3] [4] [6] [9] [10] [11] [12] [13], such as Santander, Ticketmaster [4] [9] [10], and LendingTree [9], have confirmed data breaches [9], with ongoing investigations [6] [9]. Mandiant researchers have identified UNC5537 as the cybercriminal group suspected of stealing a significant volume of data from over 100 organizations, including Snowflake customers [2] [3] [6] [9] [10] [11] [12]. The attacks targeted organizations lacking multifactor authentication [3], allowing unauthorized access using stolen credentials. Mandiant confirmed that Snowflake’s environment was not breached [3], and incidents were traced back to compromised customer credentials [3]. Mandiant began notifying potentially exposed organizations in May and collaborated with Snowflake on a joint investigation and victim notification program [11]. The US Cybersecurity and Infrastructure Security Agency (CISA) has warned about the threat actor campaign targeting Snowflake users and urged proactive monitoring for malicious activity [3]. Snowflake is working closely with customers to implement advanced security controls [3], such as multi-factor authentication [1] [3] [7] [8] [9] [10] [12], to reduce cyber threats [3]. Snowflake has published detailed detection and hardening guidance for customers in response to the ongoing threat campaign [11]. Mandiant has provided technical details on UNC5537’s campaign [8], revealing the threat actor’s use of custom attack tools and info-stealing malware [8]. Mandiant concluded that the campaign highlighted the growing info-stealer market and the need for better credential security measures [8], such as multi-factor authentication [1] [3] [7] [8] [9] [10] [12]. Approximately 100 organizations have been notified of potential exposure [8] [13], and Mandiant has warned of future similar attacks targeting SaaS solutions [8]. A significant volume of data has been stolen from hundreds of Snowflake cloud storage customers via compromised login credentials [4], with the incident linked to data breaches at Ticketmaster and Santander Bank [4]. Mandiant [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13], investigating the data theft alongside Snowflake [4], identified the financially motivated threat actor UNC5537 [4]. At least 165 Snowflake customer organizations have been notified of potential compromises [4], with no evidence suggesting Snowflake’s enterprise environment was breached [4]. The UNC5537 group systematically compromised Snowflake customers using stolen login credentials [4], dating back to 2020 [1] [4], to steal and sell data on cybercriminal forums [4]. The group’s successful compromises were due to poor security practices on impacted accounts [4], with Mandiant expecting the list of victims to grow as UNC5537 targets additional platforms in the near future [4]. Sensitive data from hundreds of organizations has been stolen in the recent Snowflake breach [5], according to new research [5]. The attack has been attributed to UNC5537 [5], a new threat actor whose identity has not yet been confirmed [5]. Mandiant’s analysis of a recent campaign impacting Snowflake customers revealed that the threat group UNC5537 accessed over 100 customer tenants using compromised credentials since April 14 [12]. The attack did not stem from a breach of Snowflake’s platform but exploited stolen credentials without MFA enabled [12]. UNC5537 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13], a financially motivated threat actor [4] [7] [12], extorted victims and advertised stolen data for sale on cybercrime forums [12]. Mandiant and Snowflake notified approximately 165 potentially exposed organizations and are conducting a joint investigation with law enforcement agencies [12]. The threat group accessed Snowflake instances through stolen credentials primarily via infostealer malware campaigns targeting non-Snowflake owned systems [12]. The successful compromises targeted accounts without MFA enabled and outdated credentials [12]. Snowflake is considering implementing advanced security controls like multi-factor authentication to prevent future attacks [12].


The incident underscores the importance of implementing robust security measures, such as multi-factor authentication [1] [3] [7] [8] [9] [10] [12], to protect against cyber threats. Snowflake and Mandiant’s collaborative efforts in investigating and mitigating the data theft incident demonstrate the need for proactive monitoring and response to potential security breaches. The ongoing threat campaign by UNC5537 highlights the evolving tactics of cybercriminals and the necessity for organizations to stay vigilant and continuously improve their security practices to safeguard sensitive data.