UNC5537: Snowflake Customer Extortion and Data Taking

Mandiant is tracking UNC5537, a financially motivated threat actor that stole several Snowflake customer details

According to Mandiant’s analysis, there is no proof that a breach in Snowflake’s enterprise environment led to unauthorized access to consumer accounts

Mandiant and Snowflake have notified about 165 possibly vulnerable organizations thus far

Since multi-factor authentication was not enabled on the affected accounts, successful authentication just needed a working login and password

The first infostealer virus penetration occurred on contractor PCs used for personal activities including downloading pirated software and playing games, according to Mandiant

Mandiant believes FROSTBITE is used to conduct reconnaissance against target Snowflake instances, despite the fact that Mandiant has not yet retrieved a complete sample of FROSTBITE

The campaign launched by UNC5537 against Snowflake client instances is not the product of a highly advanced or unique method, instrument, or process