Cyberattacks on Snowflake customers more widespread than initially believed

New details disclosed by Mandiant researchers on Monday reveal that recent cyberattacks targeting Snowflake customers have had a broader impact than initially reported. The attacks have resulted in the theft of a significant volume of data, potentially affecting 165 customers.

The cybercriminal group behind these attacks is suspected of stealing large amounts of records from Snowflake customer environments. In a blog post, Mandiant, an incident response firm owned by Google Cloud, stated that approximately 165 organizations have been notified about potential exposure.

The attacks, believed to utilize stolen passwords, have impacted customers, including Ticketmaster, Santander Bank, and Advance Auto Parts. According to Mandiant, the compromised accounts did not enable multi-factor authentication, allowing attackers to gain access with valid usernames and passwords.

Mandiant’s investigation has not found evidence of a breach within Snowflake’s environment. Instead, the incidents were traced back to compromised customer credentials. The researchers attributed the attacks to a financially motivated threat actor, now identified as UNC5537. This group has been systematically compromising Snowflake customer instances, advertising stolen data on cybercrime forums, and attempting to extort victims.

The stolen credentials were primarily obtained through various infostealer malware campaigns that infected systems not owned by Snowflake. The attacks reportedly began in mid-April, with Mandiant contacting Snowflake on May 22 after identifying the broader scope of the campaign. Potential victims were notified through Mandiant’s Victim Notification Program.

In response, Snowflake emphasized their ongoing efforts to help customers enhance their security measures. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also warned about the threat actor campaign and urged Snowflake customers to proactively search for signs of malicious activity.