Snowflake hacker may still be active, and hunting down new victims, experts claim

A zoomed-in picture of a computer screen displaying a login window with a password typed in
(Image credit: Future)

The hacker that managed to break into countless corporate Snowflake accounts and steal the data found inside is still active, researchers are saying. To this day, they are actively trying to extort money out of the victims of the attack that happened months ago.

This is according to Mandiant’s senior threat analyst Austin Larsen, Cyberscoop reports. Larsen spoke during SentinelOne’s LABScon security conference that took place last week and shared the news on the progress of the investigation. Mandiant was the company that Snowflake brought in to investigate the incident this spring, when it was first spotted.

Back then, Mandiant said it was tracking the crook under the moniker UNC5537, but since then they said they go by either “Judische”, or “Waifu”. They are actively targeting software-as-a-service (SaaS) organizations, and the newest incident happened “as recently as today,” Larsen said.

Brute-force

In April this year, a threat actor mounted a brute-force attack against the cloud storage service provider Snowflake, since many of its customers were not using multi-factor authentication (MFA). They successfully broke into many organizations, including Santander Bank, Ticketmaster, and many others. Initially, it was thought that at least 165 organizations were compromised. However, Larsen now believes mere “dozens” of firms were affected.

Mandiant “obtained a series of private communications in which we were able to identify [Judische and associates] essentially coordinating and planning a lot of the Snowflake activity, in some cases, even telling the IP address that they’re dumping logs to,” Cyberscoop cited Larsen.

The group allegedly extorted between $2 million and $2.7 million, and continues to strike organizations to this day.

The identity of the attacker is unknown, but the truth is slowly unraveling. Both Mandiant and cybersecurity journalist Brian Krebs believe the hacker is a 26-year-old software engineer located in Ontario, Canada.

Via Cyberscoop

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.