UNC5537 is a financially motivated threat actor group targeting Snowflake customer instances by leveraging credentials stolen from infostealer campaigns to access and exfiltrate data, followed by extortion. Mandiant and Snowflake notified hundreds of potentially exposed organizations and published hardening guidance to mitigate the campaign.
Keypoints
- UNC5537 targeted Snowflake customer instances using stolen customer credentials obtained from multiple infostealer campaigns.
- About 165 organizations were notified as potentially exposed; at least 79.7% of the accounts used had prior credential exposure.
- Major intrusion factors included lack of MFA, long-lived credentials with no rotation, and no network allow lists.
- Reconnaissance and access leveraged Snowflake UI/SnowSight, SnowSQL, and the attacker tool FROSTBITE, with DBeaver Ultimate used to run queries.
- Data staging and exfiltration used SQL commands (SHOW TABLES, SELECT, COPY INTO) and temporary stages, with data compressed via gzip.
- Attacker infrastructure included VPNs (Mullvad/PIA), VPS hosting (ALEXHOST), and MEGA as storage for stolen data.
- Contractor laptops and personal devices often acted as initial entry points, highlighting supply-chain/vendor risk and the need for credential hygiene and MFA.
MITRE Techniques
- [T1078] Valid Accounts – Access to Snowflake using stolen credentials. “Based on our investigations to date, UNC5537 obtained access to multiple organizations’ Snowflake customer instances via stolen customer credentials.”
- [T1059.003] Command and Scripting Interpreter – Use of SnowSQL CLI and attacker utilities. “Initial access to Snowflake customer instances often occurred via the native web-based UI (SnowFlake UI AKA SnowSight) and/or command-line interface (CLI) tool (SnowSQL) running on Windows Server 2022.”
- [T1087] Account Discovery – Discovery of users, roles, IPs, session IDs, and organization names via FROSTBITE. “FROSTBITE has been observed performing SQL recon activities including listing users, current roles, current IPs, session IDs, and organization names.”
- [T1074] Data Staged – Data staging using temporary stages. “CREATE TEMPORARY STAGE … Stages are named tables that store data files for loading and unloading into database tables. If the stage is identified as temporary on creation, the stage is deleted once the creator’s current Snowflake session ends.”
- [T1567.002] Exfiltration to Cloud Storage – Copying data to attacker stages and exfiltrating, including compression. “The COPY INTO command can be used to copy information to/from internal stages, external stages tied to cloud services, and internal Snowflake tables.”
- [T1090] Proxy – Use of VPN IPs to access victim instances. “primarily used Mullvad or Private Internet Access (PIA) VPN IP addresses to access victim Snowflake instances.”
Indicators of Compromise
- [IP Address] 45.27.26.205, 37.19.210.21 – example client IPs observed in attacker log entries.
- [Software/Tool] Rapeflake, DBeaver_DBeaverUltimate, Go 1.1.5, JDBC 3.13.30, JDBC 3.15.0, PythonConnector 2.7.6, SnowSQL 1.2.32, Snowflake UI, Snowsight AI – client applications observed in the campaigns.
- [Cloud/Storage] MEGA – used to store stolen victim data.
- [VPN/Network] Mullvad, Private Internet Access (PIA) – VPN providers used to access victim instances.
- [Malware Family] VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, METASTEALER – infostealer families linked to credential exposure.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/