UNC5537: Snowflake Customer Extortion and Data Taking
Mandiant is tracking UNC5537, a financially motivated threat actor that stole several Snowflake customer details
According to Mandiant’s analysis, there is no proof that a breach in Snowflake’s enterprise environment led to unauthorized access to consumer accounts
Mandiant and Snowflake have notified about 165 possibly vulnerable organizations thus far
Since multi-factor authentication was not enabled on the affected accounts, successful authentication just needed a working login and password
The first infostealer virus penetration occurred on contractor PCs used for personal activities including downloading pirated software and playing games, according to Mandiant
Mandiant believes FROSTBITE is used to conduct reconnaissance against target Snowflake instances, despite the fact that Mandiant has not yet retrieved a complete sample of FROSTBITE
The campaign launched by UNC5537 against Snowflake client instances is not the product of a highly advanced or unique method, instrument, or process