UNC5537 Hackers hijack Snowflake client instances

Malicious actors enter networks with the goal of gaining unauthorized access to personal and business information, bank accounts, and organizational resources for the purposes of identity theft, fraud, and data theft.

They can pose as legitimate users to access a system, navigate to different sections, and perform other illicit actions that might go unnoticed until major damage is done.

Cybersecurity researchers at Google Cloud recently identified that UNC5537 hackers were actively hijacking Snowflake client instances with stolen connections.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

UNC5537 Hackers hijack Snowflake Data base

Snowflake customer database instances are the target of a data theft and extortion campaign discovered by Mandiant, led by UNC5537, a financially motivated threat group.

Actors leverage infostealer malware to obtain stolen credentials, which they then use to systematically compromise victims’ environments without multi-factor authentication.

After exfiltrating large volumes of data, they will put some of the stolen records up for sale on the Internet while trying to force victims to pay them so that they will be left alone.

Instead, investigations show that the unauthorized access came from compromised customer credentials rather than hacking into Snowflake’s systems.

Mandiant and Snowflake jointly notified approximately 165 potentially affected organizations in a coordinated effort in May 2024, and subsequently provided guidance on how such attacks can be detected.

This joint investigation continues to include law enforcement.

Attack Path (Source – Mandiant)

Multiple companies’ Snowflake instances were hacked by UNC5537, which was able to use stolen client credentials, primarily derived from infostealer malware attacks that began in 2020.

The lack of multi-factor authentication on given accounts, unchanged but valid but compromised passwords, and failure to implement network authorization controls allowed the threat actor to gain access to the system and to steal huge amounts of customer data.

UNC5537 then made direct blackmail attempts and posted the stolen documents on illegal websites.

This shows how insufficient cloud access control and credential management could be dangerous for such information.

Timeline of the UNC5537 campaign (Source – Mandiant)

It was found that since 2020, UNC5537 was using many Snowflake client codes from different infostealer malware.

Some of them were even released in November 2020.

Some of the hacked accounts (at least 79.7%) were not protected by multi-factor authentication and were victims of password reuse or accidental infections, in many cases on contractors’ personal devices accessing various clients.

First, there was initial access to these systems through Snowflake’s web UI, CLI tool, and a custom utility called “FROSTBITE” for reconnaissance purposes.

Malicious actors then systematically organized and exfiltrated data on the compromised instances via SQL queries and the database management tool DBeaver, taking advantage of the lack of access controls and credential hygiene.


Client application IDS:-

  • Rapeseed flakes
  • DBeaver_DBeaverUltimate
  • Go 1.1.5
  • JDBC 3.13.30
  • JDBC 3.15.0
  • PythonConnector 2.7.6
  • SnowSQL 1.2.32
  • Snowflake UI
  • Snowsight

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo