Answer Brief
Mandiant (Google Cloud) reported a financially motivated cluster, UNC5537, systematically accessing Snowflake customer instances using stolen credentials—then stealing data and pursuing extortion and resale. Mandiant says it found no evidence the activity originated from a breach of Snowflake’s own enterprise environment; incidents it investigated traced back to compromised customer credentials, often sourced from historical infostealer infections dating to 2020. The campaign’s success, per Mandiant, was strongly associated with missing MFA, long-lived unrotated credentials, and lack of network allow lists—shifting the security conversation from “SaaS breach” to “identity hygiene as data-platform blast radius.”
Executive Summary: Mandiant (Google Cloud) reported a financially motivated cluster, UNC5537, systematically accessing Snowflake customer instances using stolen credentials—then stealing data and pursuing extortion and resale. Mandiant says it found no evidence the activity originated from a breach of Snowflake’s own enterprise environment; incidents it investigated traced back to compromised customer credentials, often sourced from historical infostealer infections dating to 2020. The campaign’s success, per Mandiant, was strongly associated with missing MFA, long-lived unrotated credentials, and lack of network allow lists—shifting the security conversation from “SaaS breach” to “identity hygiene as data-platform blast radius.”
Why It Matters
Mandiant’s reporting reframes a high-profile Snowflake-related wave of disclosures away from a single-vendor compromise narrative and toward a more operationally uncomfortable conclusion for defenders: modern data platforms can become “credential replay” targets at scale when SaaS identity controls lag behind the sensitivity of the data they front.
Key points grounded in the report:
– Customer credential compromise, not a Snowflake enterprise breach: Mandiant states it did not find evidence that unauthorized access stemmed from a breach of Snowflake’s enterprise environment. For organizations triaging third-party risk, that distinction matters because it shifts immediate remediation from vendor incident containment to internal identity, endpoint, and contractor controls.
– Infostealers created multi-year exposure windows: Mandiant observed the actor using credentials sourced from multiple infostealer families (VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, METASTEALER) and noted some exposures dated back to 2020. Mandiant and Snowflake assessed that at least 79.7% of accounts used by the actor had prior credential exposure. The implication for security programs is that “known-compromised but still valid” credentials can quietly accumulate and later be operationalized against high-value SaaS targets.
– Three enabling misconfigurations turned access into exfiltration: Mandiant attributes many successful compromises to (1) missing MFA, (2) credentials that remained valid long after theft (lack of rotation), and (3) absent network allow lists restricting access to trusted locations. Collectively, these are identity and access governance failures rather than novel platform exploits—yet they directly translate into data-platform breach outcomes.
– Operational tradecraft: reconnaissance and staging were performed using normal platform pathways plus purpose-built tooling. Mandiant observed access via Snowflake’s web UI (SnowSight) and SnowSQL, plus the use of DBeaver Ultimate. It also described an attacker-named utility “rapeflake,” tracked by Mandiant as FROSTBITE, assessed to support reconnaissance against Snowflake instances via Snowflake drivers (.NET and JDBC). For detection engineering teams, this underscores that “legitimate tooling” and common connectors can blend into normal admin activity unless baselining and high-signal identity telemetry are in place.
– Data exfiltration pattern emphasized native SQL workflows: Mandiant described repeated use of common SQL commands to enumerate tables (SHOW TABLES), extract data (SELECT), stage it (CREATE TEMPORARY STAGE; COPY INTO with GZIP compression), and then pull it out (GET). The takeaway is that data warehouse-native features can be repurposed for high-throughput theft when account controls fail—making monitoring of unusual staging and export sequences as important as monitoring logins.
– Scale and coordination: Mandiant and Snowflake notified approximately 165 potentially exposed organizations and reported coordinating with relevant law enforcement. Mandiant assessed UNC5537 as financially motivated, operating via aliases on Telegram and cybercrime forums, and assessed with moderate confidence that members are based in North America with collaboration from an additional member in Turkey.
Why this matters beyond Snowflake
This campaign is a broader signal for cloud and infrastructure risk management: as data consolidation accelerates in multi-cloud warehouses, the “identity perimeter” around SaaS becomes a primary control plane for preventing data theft and extortion. The report highlights how compromises can originate outside the SaaS provider—on unmanaged endpoints, including contractor devices—yet still produce enterprise-scale impact once valid credentials unlock high-value data stores.
For global cloud security and IAM teams, the Snowflake/UNC5537 pattern is also a cautionary template: attacker acquisition of infostealer logs and credential marketplaces can turn historic endpoint infections into present-day cloud data breaches, particularly where MFA adoption, credential rotation, and access-location restrictions are inconsistent.
Event Type: security
Importance: high
Affected Companies
- Google Cloud
- Mandiant
- Snowflake
Affected Sectors
- Cloud
- Cybersecurity
- Data Platforms
- SaaS
Key Numbers
- Potentially exposed organizations notified by Mandiant and Snowflake (approx.): 165
- Share of accounts leveraged by actor with prior credential exposure (at least): 79.7%
- Earliest infostealer infection date observed tied to used credential: November 2020
- Default retention mentioned for relevant views enabling hunting: 1 year (365 days)
- Date Snowflake published detection and hardening guidance (per Mandiant): 2024-05-30
- Date of Mandiant update referencing hunting guide: 2024-06-17
- Date of Mandiant report: 2024-06-10
Timeline
- Earliest infostealer infection date observed associated with a credential later leveraged in the campaign (per Mandiant).
- Mandiant received intelligence on records later determined to originate from a victim Snowflake instance; investigation tied access to infostealer-stolen credentials and noted MFA was not enabled on the compromised account (per Mandiant).
- Mandiant says it obtained intelligence indicating a broader campaign and contacted Snowflake, beginning notifications through its Victim Notification Program (per Mandiant).
- Snowflake published detection and hardening guidance to customers (as referenced by Mandiant).
- Mandiant published its report detailing UNC5537 activity targeting Snowflake customer instances for theft and extortion.
- Mandiant update: released a Snowflake threat hunting guide and noted default retention for relevant views supports hunting across 365 days (per Mandiant).