Snowflake hacker may still be active, and hunting down new victims, experts claim

News
By published

The number of victims is not in the hundreds, they say

A zoomed-in picture of a computer screen displaying a login window with a password typed in
(Image credit: Future)

The hacker that managed to break into countless corporate Snowflake accounts and steal the data found inside is still active, researchers are saying. To this day, they are actively trying to extort money out of the victims of the attack that happened months ago.

This is according to Mandiant’s senior threat analyst Austin Larsen, Cyberscoop reports. Larsen spoke during SentinelOne’s LABScon security conference that took place last week and shared the news on the progress of the investigation. Mandiant was the company that Snowflake brought in to investigate the incident this spring, when it was first spotted.

Back then, Mandiant said it was tracking the crook under the moniker UNC5537, but since then they said they go by either “Judische”, or “Waifu”. They are actively targeting software-as-a-service (SaaS) organizations, and the newest incident happened “as recently as today,” Larsen said.

Brute-force

In April this year, a threat actor mounted a brute-force attack against the cloud storage service provider Snowflake, since many of its customers were not using multi-factor authentication (MFA). They successfully broke into many organizations, including Santander Bank, Ticketmaster, and many others. Initially, it was thought that at least 165 organizations were compromised. However, Larsen now believes mere “dozens” of firms were affected.

Mandiant “obtained a series of private communications in which we were able to identify [Judische and associates] essentially coordinating and planning a lot of the Snowflake activity, in some cases, even telling the IP address that they’re dumping logs to,” Cyberscoop cited Larsen.

The group allegedly extorted between $2 million and $2.7 million, and continues to strike organizations to this day.

The identity of the attacker is unknown, but the truth is slowly unraveling. Both Mandiant and cybersecurity journalist Brian Krebs believe the hacker is a 26-year-old software engineer located in Ontario, Canada.

Via Cyberscoop

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
US soldier pleads guilty to AT&T and Verizon cyberattacks, linked to Snowflake data theft
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
59 organizations reportedly victim to breaches caused by Cleo software bug
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
Representational image depecting cybersecurity protection
Top venture capital firm Insight Partners confirms it was hit by cyberattack
Closing the cybersecurity skills gap
HPE starts contacting victims of 2023 Russian cyberattack
Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently revealing the full cast for Avengers: Doomsday, and I think it's going to be a long-winded announcement
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news
Nintendo Switch Lite
Forget the Nintendo Switch 2, the original Switch is getting one last hurrah in a surprise Nintendo Direct tomorrow
More about security
Data leak

Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection

Third-party security issues could be the biggest threat facing your business
CoreWeave

Is CoreWeave another WeWork? Blogger who caused Nvidia market capitalization to drop by $600 billion in a day thinks so
See more latest
Most Popular
CoreWeave
Is CoreWeave another WeWork? Blogger who caused Nvidia market capitalization to drop by $600 billion in a day thinks so
Discord Clyde
Discord's game overlay has seen a complete revamp - I've tried it, and it's one of the best updates ever
Swiss flag with view of Geneva city, Switzerland
Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
Data leak
Top home hardware firm data leak could see millions of customers affected
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
Canon EOS R50 V on a wooden table, alongside the EOS R50
I tried Canon's two new vlogging cameras – here's why the EOS R50 V offers better video value
Canon RF 20mm F1.4L VCM lens on a wooden table, alongside three other Canon hybrid prime lenses
Canon’s new 20mm f/1.4 lens could be the ultimate wide-angle prime for astro photography and video work, but its pricey
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news