Snowflake UNC5537: How Stolen Infostealer Credentials Drained 165 Customer Tenants

Incident summary

Snowflake is a cloud data warehouse used by enterprises to store analytical and operational data. Mandiant disclosed on June 10, 2024 that a threat actor it tracks as UNC5537 had accessed Snowflake customer instances using credentials stolen by commodity infostealer malware. Snowflake itself was not breached. The compromise sat at the customer-tenant identity boundary.

Per Mandiant's investigation, the credentials in use included logs dating back to 2020 from infostealers including RedLine, Vidar, Lumma, and Raccoon Stealer. The credentials belonged to current and former employees and contractors at Snowflake customers. Many of the affected accounts had never enabled multifactor authentication, and Snowflake at the time did not enforce MFA at the platform level.

Roughly 165 customer organizations were notified, per Mandiant. Public disclosures named AT&T (approximately 109 million customer records per its July 12, 2024 8-K), Ticketmaster (Live Nation 8-K dated May 31, 2024 referenced approximately 560 million records claimed by the actor), Santander, Advance Auto Parts, Neiman Marcus, LendingTree, and Pure Storage.

Attack technique

MITRE ATT&CK maps the operation primarily to T1078.004 (Valid Accounts: Cloud Accounts). Initial access did not require any vulnerability. UNC5537 logged into Snowflake using usernames and passwords already published in infostealer logs. Mandiant documented that the actor sourced credentials from at least two underground markets and stealer log channels on Telegram.

Per Mandiant, UNC5537 used commercial VPN providers including Mullvad and Private Internet Access to obscure source IPs. The actor leveraged the SnowSQL command-line client and a custom data-staging utility tagged in logs as 'rapeflake' to enumerate databases, dump table contents, and upload exfiltrated data to attacker-controlled storage.

After exfiltration, UNC5537 contacted victims directly with extortion demands and listed select victims on the BreachForums data-leak forum. The actor also marketed bulk data dumps publicly, suggesting both private extortion and broker-style monetization. Mandiant correlated infrastructure and tradecraft across the campaign to a small operator cell rather than a coordinated APT.

Impact and consequences

AT&T disclosed in its July 12, 2024 8-K filing that data on nearly all wireless customers and many landline customers was downloaded from a Snowflake workspace, covering call and text metadata from May 2022 to October 2022 and January 2023. AT&T paid an extortionist 5.7 BTC (approximately $370,000 at the time per Wired and 404 Media reporting) for evidence of data deletion.

Ticketmaster's parent Live Nation reported in a May 31, 2024 8-K that an unauthorized actor offered company data for sale on the dark web, with reporting referencing 560 million records. Class-action litigation against AT&T, Ticketmaster, and Snowflake followed in summer 2024, including consolidated multidistrict cases.

Snowflake announced on July 9, 2024 that new accounts must use MFA by default, and on October 8, 2024 the company introduced a tenant-level setting to require MFA for all human users. The Connor Riley Moucka indictment, unsealed by the Western District of Washington on November 5, 2024, described 20 federal counts including conspiracy, wire fraud, and aggravated identity theft against an alleged UNC5537 operator arrested in Canada on October 30, 2024.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

Lessons for defenders

Enforce MFA at the SaaS platform level, not the user level. Snowflake supported MFA for years before this campaign, but enforcement was opt-in per user. Per-tenant MFA requirements, network policy allowlists, and platform-default MFA close the entire population of non-MFA accounts at once.

Treat infostealer log monitoring as a first-class control. Services including Recorded Future, Flare, and Hudson Rock surface employee credentials when they appear in stealer logs. Forced password rotation on a hit fires the alert before the credential pays out to an extortion actor.

Apply network policies and IP allowlists for SaaS data warehouses. Snowflake supports network policies that restrict authentication to known corporate egress IPs. Most affected customers had not configured them. Default-deny at the network layer turns commodity-stealer credentials into useless tokens.

Audit which contractors and former employees still hold SaaS credentials. Mandiant noted that some compromised accounts belonged to former employees of customers. Joiner-Mover-Leaver hygiene that includes SaaS data-warehouse access removal closes a long-tail risk that questionnaires routinely miss.

Treat extortion-only campaigns as ransomware-equivalent in the response plan. UNC5537 did not encrypt anything. The decision economics, OFAC checks, and disclosure obligations are still ransomware-class. Tabletop exercises should include the data-theft-only branch.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

• /cybersecurity/careers/incident-responder
• /cybersecurity/careers/threat-intelligence-analyst
• /cybersecurity/careers/security-architect

Related Decipher Files

• Okta Support: How HAR File Session Tokens Reached 1Password and Cloudflare
• LastPass: How a Two-Stage Breach Reached the Encrypted Customer Vaults

Frequently asked questions