On June 2, 2024, cloud service provider Snowflake reported increased cyber threat activity targeting some of its customer’s accounts. Snowflake recommended that customers review unusual activity to detect and prevent unauthorized user access.

The Cybersecurity and Infrastructure Agency (CISA) then sent an alert on June 3, 2024, recommending that Snowflake customers “hunt for malicious activity, report positive findings to CISA, and review the Snowflake notice” on steps to take.  

On June 10, 2024, Mandiant provided additional information about the incident. If you are a Snowflake user, the Mandiant Alert is a mandatory read. According to Mandiant, it identified a campaign by threat actor UNC5537, targeting “Snowflake database instances with the intent of data theft and extortion.” The threat actor is suspected of having stolen records from Snowflake customers using stolen customer credentials and subsequently advertised the sale of customer data attempting to extort Snowflake customers. Mandiant has not found any evidence of a breach of Snowflake’s environment, but instead, the incidents stemmed from stolen customer credentials to access Snowflake’s system, in one instance, using infostealer malware. The credentials used by the threat actor were “available from historical infostealer infections, some of which data as far back as 2020.”

The three factors that allowed a successful compromise included:

1.         The impacted accounts were not configured with multi-factor authentication enabled, meaning successful authentication only required a valid username and password.

2.         Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not been rotated or updated.

3.         The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations.

Snowflake users may wish to confirm that these three factors are not applicable to them, and if so, take measures to address them.

According to Mandiant, it and Snowflake have notified 165 “potentially exposed organizations,” and Snowflake is working with customers to mitigate a potential compromise.

Google/Mandiant provided a helpful threat intelligence collection of indicators of compromise, which is worth a scan.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.