Mandiant's Analysis Unveils Cause of Snowflake Data Theft

The theft has affected as many as 165 of Snowflake's 9000+ customers worldwide
Mandiant identified three key issues things that the customers affected by the data breach shared

Google-owned cybersecurity firm Mandiant has been called in to assist cloud computing giant Snowflake in its incident response efforts for a major data theft incident.

The theft, which Mandiant is tracking under the codename UNC5537, has affected as many as 165 of Snowflake's 9000+ customers worldwide.

Last week, alarm was sounded by authorities alleging companies utilising Snowflake environments had been compromised, with Santander Bank and Ticketmaster, two of Snowflake’s biggest customers, confirming breaches.

At the heart of the attack is a financially motivated threat group that has systematically compromised Snowflake customer instances using stolen credentials obtained from various infostealer malware campaigns. 

Youtube Placeholder

Sophisticated Attack Methodology

Mandiant's investigation has shed light on the tactics employed by the UNC5537 group. The method of attack involved leveraging the stolen credentials to gain unauthorised access to Snowflake customer instances. 

It noted that there's no evidence a breach of Snowflake's own enterprise environment was to blame for its customers' breaches. 

This breach was traced back to Snowflake’s customer credentials being compromised, through earlier malware campaigns known as infostealer. 

"The earliest infostealer infection date observed associated with a credential leveraged by the threat actor dated back to November 2020," Mandiant said, with the company having "identified hundreds of customer Snowflake credentials exposed via infostealers since 2020."

Mandiant determined that UNC5537 used legitimate credentials to break into the victim's Snowflake environment. The victim did not have multi-factor authentication turned on.

Once inside, the attackers deployed a reconnaissance utility dubbed FROSTBITE, to gather sensitive information and run SQL queries.

Several of the initial compromises occurred on contractor systems that were being used for both work and personal activities.

"These devices, often used to access the systems of multiple organisations, present a significant risk," a Mandiant researchers wrote. "If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organisations, often with IT and administrator-level privileges."

This understanding of security supply chain and third-party partners expanding an attack surface of an organisation has been recently brought up in studies highlighting the pervasive nature of the problem.

Examining the attack

All of the successful intrusions, Mandiant said they shared three things in common. 

Three facts shared by those affected
  • 1 - The victims didn't use Multi-factor authentication (MFA), which is the security process that requires users to provide two or more verification factors to gain access to an account, system or application.
  • 2 - The attackers used valid credentials, "hundreds" of which were stolen during infostealer infections. Even in some of those thefts, which occurred as far back as 2020, the credentials had not been updated or rotated. Mandiant's analysis revealed that around 80% of the affected accounts had previously been exposed.
  • 3 - The compromised accounts did not have network allow-lists in place. Network allow-lists, also known as IP allow-lists or whitelists, are security controls that restrict network access to specified IP addresses or ranges of IP addresses, allowing only approved sources to connect to systems, applications, or services.

In response to the breach, Mandiant has been working closely with Snowflake to notify the affected organisations and assist them in hardening their security measures. 


Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024


Cyber Magazine is a BizClik brand


Featured Articles

UK Takes Steps to Strengthen Country's Cyber Security

The new government have made cybersecurity one of their top priorities as they lay out their plans for what they intend to do in power

BlueVoyant Launch Platform to Tackle Supplier Attack Surface

BlueVoyant has unveiled a new Cyber Defense Platform which aims to tackle the growing attack surface introduced by the ecosphere of third-party vendors

Irdeto’s Andrew Bunten Talks Securing Online Content Streams

With online streaming services being bigger than ever, Irdeto’s Andrew Bunten explains how they manage to keep streams safe despite the huge attack surface

Fortinet Cyber Survey Shows Global Scope of Skills Gap

Operational Security

What ChatGPT Passing an Ethical Hacking Exam Means for Cyber

Technology & AI

Learn How CTEM can Upskill Your Cyber Strategy

Network Security