A wave of cyberattacks targeting Snowflake customer environments during the last two months bears the markings of an unfolding disaster.
At least 100 Snowflake customers are confirmed impacted by the attacks, and approximately 165 businesses are potentially exposed, according to Mandiant, which has been assisting Snowflake with an ongoing investigation.
Pure Storage, a data storage vendor, became the first Snowflake customer in a public forum to confirm it was impacted by the attacks, according to a June 11 security bulletin.
Other companies that experts have linked to attacks involving the theft of corporate information stored on Snowflake haven’t officially named the third-party vendor.
The cloud-based data warehouse vendor says the attacks were not caused by a vulnerability, misconfiguration or breach of its systems. Rather, stolen credentials obtained from multiple infostealer malware infections on non-Snowflake owned systems were the point of entry for the attacks, Mandiant said. Impacted customer accounts were not configured with multifactor authentication.
“We have been communicating with our customers about how to best protect themselves, including enabling multifactor authentication and network access policies,” Snowflake CISO Brad Jones said June 5 in a statement provided to Cybersecurity Dive.
“Snowflake is also suspending certain user accounts where there are strong indicators of malicious activity. We have also been incrementally blocking IP addresses that we have identified and have a high confidence level that are associated with the cyber threat,” Jones said.
First contact
The earliest evidence of unauthorized access to Snowflake customer instances occurred on April 14, according to Mandiant’s June 10 threat intelligence report on the attacks.
The incident response firm said it began investigating data stolen from an unknown database on April 19. Mandiant identified the first confirmed connection to Snowflake on May 14 when it learned two of its incident response clients had lost data from their Snowflake tenant.
“Investigating threat campaigns is complicated and connections are not usually evident at the beginning,” Mandiant Consulting CTO Charles Carmakal told Cybersecurity Dive. “When we began our investigation into what eventually turned into a Snowflake-related threat campaign, we did not yet know the threat actor had compromised multiple Snowflake customer tenants.”
Mandiant uncovered evidence of a broad campaign impacting additional Snowflake customers on May 22. The incident response firm said it notified Snowflake and law enforcement agencies of the attacks that same day.
“Once we learned this was a threat campaign impacting multiple victims, we notified Snowflake with what we knew at the time. We did not yet have complete information since we were still trying to figure things out,” Carmakal said.
“Our discussions with [Snowflake] evolved as we uncovered more of the campaign. We continued to learn more about the campaign as we worked with them,” Carmakal said.
Data theft
The earliest known instance of a cybercriminal posting allegedly stolen data from a Snowflake customer database for sale occurred on May 24, according to Mandiant.
Snowflake disclosed the attacks on customers’ databases on May 30, and provided indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake accounts. Mandiant released a threat hunting guide to help Snowflake customers detect malicious activity on database instances on Monday.
While Snowflake and Mandiant point to infostealer malware as the source of stolen customer credentials, the companies haven’t shared information explaining why so many attacks hit Snowflake customers in a short period of time, nor why the attacks all point back to Snowflake.
An investigation into the attacks, with assistance from Mandiant and CrowdStrike, is ongoing.
What's next?
The specific companies recovering from data theft, extortion demands and advertisements for the sale of allegedly stolen data on the dark web remain mostly shrouded in mystery.
Snowflake has not identified any of the customers impacted by the attacks. Analysts and threat hunters warn more companies are confronting significant exposure, and the damage is spreading.
As of June 13, the financially-motivated attacker, which Mandiant refers to as UNC5537, was still actively extorting victims with data stolen from Snowflake customer environments, a Mandiant spokesperson told Cybersecurity Dive.