Customers of Snowflake targeted in a data breach, personal information seized and utilized for financial blackmail
In a series of identity-based attacks, the cybercriminal group Scattered Spider has targeted over 100 Snowflake customers, according to reports. The attacks, which began in November 2020, have resulted in the downloading of data, extortion of victims, and the advertisement of victim data for sale on cybercriminal forums.
The attacks were not caused by a breach of Snowflake's systems but rather by the exploitation of weaknesses in individual organisations' credential management. The group primarily obtained stolen credentials from compromised contractor machines and by impersonating IT help desks.
Snowflake first disclosed the attacks on May 30, and Mandiant Consulting CTO Charles Carmakal made a statement about the attacks on the same day. Mandiant has stated that impacted customer accounts in the Snowflake attacks were not configured with multifactor authentication (MFA).
The exact number of affected customers has not been specifically quantified in public reports, but the group has targeted many large organisations across industries including retail, insurance, and airlines. Mandiant has also noted that the stolen credentials used in the attacks were still valid.
Snowflake's response plan reflects the importance of reinforcing identity risk management, adopting MFA, rotating passwords, and improving visibility into identities and their active sessions. However, attackers bypassed MFA by stealing session tokens active on compromised machines, suggesting that defensive actions need to address security beyond static credentials, including session monitoring and attack path visibility.
Snowflake's Chief Information Security Officer (CISO), Brad Jones, announced a plan to require customers to implement advanced security controls such as MFA or network policies. It is unclear if MFA will be turned on by default across Snowflake's platform.
Approximately 165 potentially exposed customers have been notified by Snowflake and Mandiant. Snowflake ended its most recent quarter on April 30 with 9,822 customers, suggesting that a significant proportion of its customer base may have been affected.
Despite arrests of some Scattered Spider members, their tactics continue to evolve, and caution remains necessary to guard against ongoing social engineering and identity-based attacks. The advisory highlights "many" incidents involving Snowflake data access theft.
Snowflake did not respond to a request for additional information on its security improvement plan. The data warehouse and analytics vendor will need to take decisive action to address this security breach and reassure its customers of the safety of their data.
[1] Mandiant [2] Snowflake [3] Various public reports
- The cybersecurity incident involving Snowflake, perpetrated by the Scattered Spider group, highlights the need for improved identity risk management and the adoption of multifactor authentication (MFA) to bolster security.
- The cybercriminals' targeting of over 100 Snowflake customers, which resulted in data theft, extortion, and data trading, was facilitated by the exploitation of weaknesses in individual organizations' credential management.
- Recent threat intelligence suggests that Snowflake's attackers bypassed MFA by stealing session tokens active on compromised machines, indicating that defensive actions should extend beyond static credentials to include session monitoring and attack path visibility.
- Snowflake has announced plans to require customers to implement advanced security controls such as MFA or network policies, but it remains uncertain if MFA will be enabled by default across its platform.
- As the threat landscape continues to evolve, it is crucial for data-and-cloud-computing technology companies, like Snowflake, to take decisive action to improve their cybersecurity measures, reassure their customers of the safety of their data, and curb ongoing social engineering and identity-based attacks.
