Mandiant, a cyber threat intelligence firm owned by Google, has revealed that financially motivated hackers may have stolen data from approximately 165 Snowflake customers. These attacks, attributed to a threat group known as UNC5537, underscore significant vulnerabilities in Snowflake’s data management platform.
Snowflake, which disclosed the campaign earlier this month, warned that customers without multifactor authentication (MFA) are particularly vulnerable. According to Mandiant, UNC5537 has targeted hundreds of organizations globally, using stolen credentials to access over 100 Snowflake customer tenants. The group has systematically compromised accounts, downloaded data, extorted victims, and sold the stolen information on cybercriminal forums.
The breach has already impacted notable companies, including Ticketmaster and LendingTree’s subsidiary QuoteWizard. The hackers exploited credentials exposed in previous hacks, utilizing various infostealer malware such as Redline and Raccoon Stealer.
Attackers targeted Snowflake’s web-based user interface, SnowSight, and the command-line tool, SnowSQL. They employed a utility known as “Frostbite” to gain unauthorized access, leveraging .NET and Java versions of the utility to interact with Snowflake’s database drivers.
A significant security lapse is the difficulty in enabling MFA across Snowflake accounts. Each user must manually enroll, leaving organizations vulnerable. As security researcher Kevin Beaumont noted, the sensitive data Snowflake holds makes these breaches particularly damaging. Until Snowflake simplifies MFA implementation, the risk of further attacks remains high.