Dive Brief:
- More than 100 Snowflake customers are caught in a widespread identity-based attack spree targeting the cloud-based data warehouse vendor’s customers, Mandiant said Monday in a threat intelligence report. The attacks were not caused by a breach of Snowflake’s systems, Mandiant said.
- “Since at least April 2024, UNC5537 has leveraged stolen credentials to access over 100 Snowflake customer tenants,” Mandiant Consulting CTO Charles Carmakal said Monday in a prepared statement. “The threat actor systematically compromised customer tenants, downloaded data, extorted victims and advertised victim data for sale on cybercriminal forums.”
- Snowflake first disclosed the attacks on May 30 and said it first became aware of the malicious activity on May 23. Snowflake was not immediately available to comment on Mandiant’s research. Mandiant and CrowdStrike are assisting Snowflake with an ongoing investigation.
Dive Insight:
Snowflake and the incident response firms maintain the attacks were not caused by a vulnerability or breach of Snowflake’s enterprise environment.
The financially-motivated attacker, UNC5537, used stolen credentials to access Snowflake customer databases and those credentials were primarily obtained from multiple infostealer malware infections on non-Snowflake owned systems, according to Mandiant. Some of the stolen credentials date back to November 2020.
Snowflake and Mandiant have notified approximately 165 potentially exposed customers to date, Mandiant said.
The attacks resulting in a significant volume of stolen customer data had three factors in common, Mandiant said:
- Impacted customer accounts were not configured with multifactor authentication;
- Credentials obtained via infostealer malware were still valid;
- And impacted Snowflake customer instances did not have network policy rules in place to limit access to trusted locations.
The update from Mandiant comes as pressure mounts on Snowflake and its customers. The data warehouse and analytics vendor hasn’t independently confirmed how many customers are impacted.
In a Friday update on its community forum, Snowflake CISO Brad Jones said the company is developing a plan to require customers to implement advanced security controls such as MFA or network policies.
Details of the plan were scant however, including what exactly will be required of Snowflake customers and if MFA will be turned on by default across its platform. Snowflake did not respond to a request for additional information on its security improvement plan.
The company ended its most recent quarter on April 30 with 9,822 customers.