(Bloomberg) — Cybercriminals are demanding payments of between $300,000 and $5 million apiece from as many as 10 companies breached in a campaign that targeted Snowflake Inc. customers, according to a security firm helping with the investigation.
The hacking scheme has entered a βnew stage” as the gang looks to profit from the most valuable information it has stolen, said Austin Larsen, a senior threat analyst at Googleβs Mandiant security business, which helped lead Snowflakeβs inquiry. That includes auctioning companiesβ data on illegal online forums to try to pressure them into making payments, he said.
βWe anticipate the actor to continue to attempt to extort victims,” Larsen said.
Snowflake, a cloud-based data analytics firm, said on June 2 that hackers had launched a βtargeted” effort directed against Snowflake users that used single-factor authentication techniques. The company declined to comment on any specific customers.
The hacking group used stolen login details to access the Snowflake accounts of as many as 165 Snowflake customers and steal data, Larsen said. It has used the stolen information in attempts to extort money from five to 10 of Snowflakeβs customers, he said. It wasnβt immediately clear which of Snowflakeβs clients have been affected.
Mandiant has attributed the attack to a group it calls βUNC5537,” with members based in North America and Turkey. Larsen said members of the gang have made death threats against cybersecurity experts investigating it. In one case, UNC5537 used artificial intelligence to create fake nude photos of a researcher to harass them, Larsen said.
Mandiant said it was investigating the βpossibility” that a UNC5337 hacker collaborated with a diffuse cybercriminal group known as βScattered Spider” on at least one intrusion within the past six months, however the nature of such a relationship remains murky. Cybersecurity vendor CrowdStrike Holdings Inc. assigned the Scattered Spider name to the group, which functions as a loose community.
Illicit data brokers are now seeking prices above typical black-market rates for the data stolen from Snowflake customers, possibly in the hopes of pressuring the affected firms to pay a ransom, Larsen said. Snowflake has said it plans to close its internal investigation into the hacking campaign and that it hadnβt detected any unauthorized access into its customersβ servers in recent days.
Ticketmaster owner Live Nation Entertainment Inc. said it had discovered βunauthorized access” within a third-party cloud database, which a person familiar with the matter said was hosted on Snowflake.
Since then, Pure Storage Inc. has also disclosed that it experienced a breach of a Snowflake workspace. Advanced Auto Parts said it was investigating reports that the company may have experienced Snowflake-related issues.
Mandiant on Monday released guidance for companies on how to detect UNC5537 hackers, based on recent activity. Credentials from several customers previously were exposed via so-called information-stealing malware, the company said.Β
(Updated to include additional context in sixth and eleventh paragraphs.)
More stories like this are available on bloomberg.com
Β©2024 Bloomberg L.P.
3.6 Crore Indians visited in a single day choosing us as India’s undisputed platform for General Election Results. Explore the latest updates here!
Download The Mint News App to get Daily Market Updates & Live Business News.
Published: 18 Jun 2024, 12:44 AM IST