In an alarming event for cloud cybersecurity, the customers of data platform, Snowflake, are facing targeted cyberattacks following the theft of user credentials.

The revelations were made public earlier this week by security company, Mandiant, when it was announced that hackers are focusing on customer instances on Snowflake, exploiting leaked login information to breached accounts. 

Mandiant, which is owned by Google, clarified that these strikes are limited to customer accounts and do not compromise the Snowflake service infrastructure itself. Snowflake, known for its cloud and data management services, now sees its customers in the crosshairs of cybercriminals.

While Mandiant did not identify a group behind these incidents, it classified the malicious events under the code UNC5537, stating:

“Mandiant tracks this cluster of activity as UNC5537, a financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments.”

UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims,” Mandiant continued.

These attacks appear unrelated to the recent Snowflake breach by the notorious ShinyHunters group, who claim to have obtained hundreds of millions of credentials. Snowflake has downplayed this breach, attributing it to a test environment managed by a former employee. However, this incident did result in data breaches for companies such as Ticketmaster and Santander Bank. 

UNC5537 has been active since at least 2020, with Mandiant saying that around 165 organisations are at risk. Experts say the attackers are using data theft malware to harvest user login credentials, which are then employed to access and further exploit Snowflake instances. The stolen data is typically sold on the dark web or used for ransomware schemes.

Mandiant has advised Snowflake customers to adopt two-factor authentication (2FA) to safeguard their accounts. The firm noted that all the breaches they observed involved users who had not enabled 2FA, underscoring the critical need for this security measure.

Know the risks

In an era characterised by increasingly sophisticated cyberattacks, the Snowflake data breach serves as a reminder of the critical need for continually optimised cybersecurity in cloud infrastructures.

Business leaders can get to the edge of the conversation this October at #RISK London, where experts will debate the new wave of cyber-threats that organisations face in our digitising world.

#RISK London 2024

We’re excited to share that #RISK is back in London for its third consecutive year, ready to equip attendees like you with the knowledge, insights, and connections crucial for navigating today’s dynamic risk landscape.

#RISK London 2024, ExCel

#RISK London 2024, 9-10 October, ExCel - GRC. AI. Privacy. Security. RegTech

Discover more at #RISK London

Taking place October 9 and 10 at London’s ExCel, #RISK London brings high-profile subject-matter experts together for a series of keynotes, engaging panel debates and presentations across four separate theatres:

• GRC Theatre

• RegTech Theatre

• PrivSec Theatre

• Risk Theatre 

Each theatre is dedicated to examining the challenges and opportunities that businesses face in times of unprecedented change.

By breaking down silos and aligning systems and workflows, organisations can streamline decision-making, improve efficiencies, and enhance the customer experience.

Attendees will be able to learn how to mitigate risks, reduce compliance breaches, and drive performance.

“#RISK is such an important event as it looks at the broad perspective. Risks are now more interconnected and the risk environment is bigger than ever before.”Michael Rasmussen, GRC Analyst & Pundit, GRC 20/20 Research

Click here to register for #RISK London today!

Risk London 2024 Logo-Updated