Since the first week of June, a cyberattack centred around cloud storage provider Snowflake has been resulting in security breaches in over 165 different entities. Snowflake is one of the most popular cloud data storage companies in the world, helping its clients manage and secure their data. Google’s cybersecurity arm/subsidiary company Mandiant published a detailed blog post of the information that could be reliably verified earlier this week. According to this report, the attacks had been perpetrated by a cyber threat currently identified as UNC5537—a financially motivated actor that is currently extorting victims for their sensitive data or selling them off on cybercrime forums. The most significant data breaches currently recorded are at online ticket sales and distribution company Ticketmaster and the Santander Bank.
As mentioned, the compromise of Snowflake has resulted in the breach of 165 other organisations. Cybersecurity firms such as Mandiant had actually been flagging UNC5537 activity as far back as April 2024. According to Mandiant, the majority of credentials that the threat group had used had actually been compromised in 2020 through older infostealer infections. Infostealer infections are malware that is specifically designed to extract information through systems that have already been compromised. Some of the organisations that were compromised had also been breached through a third-party contractor. This contractor had allowed its employees to carry out their professional duties on their personal devices. As of now, Mandiant does not believe that Snowflake’s own enterprise environment has been compromised.
Both Mandiant and Snowflake started warning the organisations they believed had been compromised on the 22nd of May. Cyber-intelligence firm Hudson Rock also published a report on the companies that had actually been breached in May. However, legal intervention by Snowflake has since forced them to take this report down. According to the ‘UNC5537 Campaign Timeline’ published by Mandiant, the threat group had first advertised compromised data for sale on the 24th of May—two days after it had been made public by the cybersecurity firm.
The comparatively long time period over which the cyberattack had progressed is one of the most interesting aspects of the case; one that will no doubt have researchers and industry analysts scratching their heads for some time to come. What we do know is that at least 79.7% of the accounts that UNC5537 leveraged to carry out their attacks had been breached outside of Snowflake’s management, pointing to negligence towards cyber security in most companies, which is glaring in today’s day and age, where cyber attacks are even weaponised against governments. So glaring is this negligence that the attack had mainly been perpetrated on client accounts that neglected to turn on multi-factor authentication (MFA) when signing in.
Snowflake is now asking all their account holders to turn on MFA, among other basic security recommendations. These include setting up network policy rules to allow access only via trusted locations as well as rotating their user credentials. These simple policies help eliminate many of the weaknesses that lead to cyber breaches—at least it makes it much more expensive for cybercriminals to do so. This is because expenses, or keeping operations cost-effective, is an important element of making cybercrime profitable. Credential stuffing attacks, which are among the cheapest, depend upon victims not putting up the most basic of defences, like MFA. According to Chris Hauk of Pixel Privacy, who is cited in CSO Online, “Unfortunately, IT departments receive pushback from users when it comes to using two-factor authentication. Users do not like using MFA, as it adds another step to the authorization process.” MFA also increases the complexity of IT management, as enrolling and managing users within the process is not always easy or cheap.
MFAs can also be taken a step further to heighten the security they offer, by setting up automatic password rotation. This effectively renders a password single-use only. This further insulates your system against attacks like keyloggers. Snowflake had provided its clientele with the access necessary to actually implement this; it was just up to their clients to make use of it. Protecting non-human assets is also an important element of cybersecurity—a critical point given that these ‘users’ have permission to carry out a number of automated tasks. Addressing these potential weak points as well as ensuring that breaches are promptly attended to and credentials are updated are vital. As the Snowflake incident shows, too many companies are content with not monitoring their own security to ensure that no breaches take place without their knowledge and rectification.
Given these obvious oversights, some would even argue that calling the entire incident the ‘Snowflake data breach’ is a little reductive. According to Mandiant, a utility called ‘rapeflake’ currently identified by the moniker ‘FROSTBITE’ is the actual alien that is accessing Snowflake’s customer portals. The situation is also still an evolving one, as more and more targets come forward and make themselves known. If the entire incident teaches us anything, it’s that we might ignore the most basic principles of safety, but our enemies won’t.
(Theruni Liyanage)