Hackers Breach Data of 100 Snowflake Clients, Intending to Demand Ransom for the Stolen Information
In the digital landscape of 2024, Snowflake, a leading data warehouse and analytics vendor, found itself under pressure after over 100 of its cloud-based data warehouse customers were targeted in a widespread identity-based attack. The threat actor behind these attacks, UNC5537, was identified by Mandiant research, with the attacks starting as early as April 14 [1].
The exact number of affected customers has not been disclosed, but Snowflake's Chief Information Security Officer (CISO), Brad Jones, announced a plan to require customers to implement advanced security controls such as Multi-Factor Authentication (MFA) or network policies [13]. However, the details of this plan are scant, including what exactly will be required of Snowflake customers and if MFA will be turned on by default across its platform.
Snowflake became aware of the malicious activity on May 23, and the attacks were not caused by a breach of Snowflake's systems [6]. Mandiant Consulting CTO Charles Carmakal made a statement about the attacks on May 30, and Snowflake first disclosed the attacks on the same day [7][5]. Since then, Snowflake and Mandiant have notified approximately 165 potentially exposed customers [10].
UNC5537 systematically compromised customer tenants, downloaded data, extorted victims, and advertised victim data for sale on cybercriminal forums [4]. The financially-motivated attacker obtained the stolen credentials from multiple infostealer malware infections on non-Snowflake owned systems, with some of these credentials dating back to November 2020 [8][9].
As the digital world continues to evolve, so do the threats it poses. In response, it's crucial for all organisations to adopt robust security measures. General cloud security best practices for 2024 include securing authentication methods such as MFA and single sign-on, encrypting data in transit and at rest, maintaining a SaaS usage inventory and monitoring, automating cloud security for threat detection and mitigation, and deploying cloud DDoS protection to prevent disruption from attacks [1].
While Snowflake did not respond to a request for additional information on its security improvement plan, these practices are likely among the measures Snowflake is adopting to prevent future identity-based attacks. Mandiant research has identified three common factors in the stolen data cases: impacted customer accounts lacked multifactor authentication, the stolen credentials were still valid, and the impacted Snowflake customer instances did not have network policy rules in place to limit access to trusted locations [11].
As the details of Snowflake's response continue to unfold, it's clear that adhering to industry-standard security practices remains key to defending against such threats. The scale and specifics of UNC5537's Snowflake attacks remain limited in public reporting as of mid-2025 [1][2].
[1] Mandiant Threat Intelligence, "UNC5537: A New Threat Actor Targeting Cloud Services," [Accessed 15 June 2025]. [2] ZDNet, "UNC5537: The elusive threat actor targeting cloud services," [Accessed 15 June 2025].
- To combat the emerging threats in the digital landscape of 2024, such as the attacks on Snowflake's cloud-based customers by UNC5537, organizations need to incorporate advanced security measures in their cybersecurity strategies.
- In the aftermath of the widespread identity-based attack on Snowflake, there has been a growing emphasis on the implementation of general cloud security best practices, including securing authentication methods, encrypting data, and automating cloud security.
- Incident response strategies in data-and-cloud-computing technology should prioritize the adoption of multifactor authentication (MFA) and single sign-on, as revealed by Mandiant research, in response to the vulnerabilities exploited by threat actors like UNC5537.
- The cybersecurity community has been closely monitoring the crime-and-justice implications of the UNC5537 attacks, particularly the illegal sale of stolen data on cybercriminal forums, which underscores the need for effective threat intelligence and vigilance against malware infiltration.
- As Snowflake continues to develop and implement its incident response plan, it is crucial for the general news media to report on the details of this plan and its impact on data security, helping organizations worldwide learn from these incidents and improve their own cybersecurity postures.
