Hackers who targeted Snowflake customers are reportedly demanding ransom payments ranging from $300,000 to $5 million from as many as 10 breached companies.
The hacking group, known as UNC5537, accessed the Snowflake accounts of approximately 165 customers and stole valuable data, Bloomberg reported Monday (June 17).
Austin Larsen, a senior threat analyst at Google’s Mandiant security business, the cybersecurity firm leading Snowflake’s investigation, told Bloomberg that the hacking scheme has entered a “new stage” as the hackers aim to profit from the stolen information.
The group has begun auctioning the stolen data on illegal online forums in an attempt to pressure the affected companies into making ransom payments. Larsen said that the hackers are likely to continue their extortion attempts.
Snowflake, a cloud-based data analytics firm, confirmed the targeted effort against its users on June 2, which exploited the use of single-factor authentication techniques by some users, according to the report.
The company has not disclosed the specific customers affected by the attack. However, other companies have reported unauthorized access within third-party cloud databases hosted on Snowflake, the report said. Pure Storage has disclosed breaches of Snowflake workspaces. Advanced Auto Parts is also investigating potential Snowflake-related issues. Live Nation Entertainment, the owner of Ticketmaster, reported “unauthorized access” to an unnamed third-party cloud database, and it has been reported that it was hosted on Snowflake.
Mandiant has attributed the attack to UNC5537, a group with members based in North America and Turkey, per the report. Mandiant is also exploring the possibility of collaboration between UNC5537 and a diffuse cybercriminal group called “Scattered Spider.” While the nature of their relationship remains unclear, the investigation suggests that the two groups may have collaborated on at least one intrusion in the past six months.
The stolen data from Snowflake customers is now being offered for sale by illicit data brokers at prices higher than typical black-market rates, according to the report. This strategy aims to increase pressure on the affected companies to pay the ransom.
Snowflake has said that it plans to conclude its internal investigation into the hacking campaign and has not detected any unauthorized access to its customers’ servers in recent days, per the report.