UNC5537 Hackers Hijacking Snowflake Customer Instances With Stolen Logins

Threat actors penetrate the networks with the aim of obtaining unauthorized access to personal and corporate details, bank accounts, and organizational resources for purposes of identity theft, fraud, and data theft.

They can masquerade as legit users to gain access to a system, navigate into different sections, and perform other illicit actions that might go unnoticed until much damage has been done.


Cybersecurity researchers at Google Cloud recently identified that UNC5537 hackers have been actively hijacking the Snowflake customer instances with stolen logins.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

UNC5537 Hackers Hijacking Snowflake Databases

Snowflake customer database instances are the targets of a data theft and extortion campaign discovered by Mandiant, which is being waged by UNC5537, a financially motivated threat group.

The actors exploit infostealer malware to obtain stolen credentials, which they then use to systematically compromise victim environments without multi-factor authentication.

After that exfiltrating large volumes of data, they will advertise some of the stolen records on the internet for sale as they try and force victims into paying them to be left alone.

Instead, investigations show that unauthorized access originated from compromised customer credentials rather than Snowflake’s systems being hacked.

Mandiant and Snowflake have jointly informed around 165 potentially affected organizations as part of a coordinated effort during May 2024, with later giving advice on how such attacks can be detected.

This joint investigation continues with law enforcement agencies included.

Attack path (Source – Mandiant)

The multiple companies” Snowflake instances were hacked by UNC5537, which was able to utilize stolen customer credentials, mainly derived from infostealer malware attacks that started in 2020.

The lack of multi-factor authentication on given accounts, unrotated yet valid but compromised passwords, and failure to put up any network allow-listing controls allowed the threat actor to gain entry into the system and steal massive amounts of client data.

UNC5537 then made direct blackmail attempts and publicized the stolen documents on illegal websites.

This signifies how dangerous insufficient cloud access control and credential management could get for such information.

UNC5537 Campaign Timeline (Source – Mandiant)

It was found that since 2020, UNC5537 has used many Snowflake client codes from different infostealer malware.

Some of them were even released in November 2020.

Some of the breached accounts (at least 79.7%) were not protected by multi-factor authentication and got hit by password reuse or accidental infections in many cases on contractors’ personal devices accessing various clients.

First, there was initial access to these systems through Snowflake’s web UI, CLI tool, and a custom utility called “FROSTBITE” for reconnaissance purposes.

The threat actors then systematically staged and exfiltrated data across compromised instances via SQL queries and the DBeaver database management tool, taking advantage of the lack of access controls and credential hygiene.


Client Application IDS:-

  • Rapeflake
  • DBeaver_DBeaverUltimate
  • Go 1.1.5
  • JDBC 3.13.30
  • JDBC 3.15.0
  • PythonConnector 2.7.6
  • SnowSQL 1.2.32
  • Snowflake UI 
  • Snowsight Al

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.