A financially motivated threat actor, known as UNC5537, is targeting Snowflake customer database instances in a broad campaign aimed at data theft and extortion, according to a new report from Google’s cybersecurity subsidiary Mandiant.

Snowflake is a platform for data warehousing, data lakes, data engineering, data science, data application development, and secure sharing and consumption of real-time / shared data.

Mandiant says that UNC5537 has a history of stealing records from Snowflake customer environments. The group compromises Snowflake customer instances using stolen customer credentials, and then offers the stolen data for sale on underground forums or attempts to extort victims.

The company noted that it has found no evidence that “unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment. The investigation into multiple security incidents involving Snowflake customers showed that UNC5537 gained access to organizations’ Snowflake customer instances using stolen credentials obtained via infostealer malware campaigns (VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER) that infected non-Snowflake owned systems.

“The threat actor has subsequently begun to extort many of the victims directly and is actively attempting to sell the stolen customer data on recognized cybercriminal forums,” Mandiant said, adding that the majority of the credentials used by the threat actor were available from previous infostealer infections, some of which dated as far back as 2020.

The company explained that the attacks were successful due to three factors, such as the lack of multi-factor authentication, the use of the previously compromised credentials that had not been rotated or updated, and the absence of network allow lists to only allow access from trusted locations.

In some of the cases, the malware compromise occurred on contractor systems that were also used for non-work related activities like gaming and downloading of pirated software.

Initial access to Snowflake customer instances was often achieved through the native web-based UI (Snowflake UI, also known as SnowSight) and/or the command-line interface (CLI) tool (SnowSQL) operating on Windows Server 2022. Mandiant identified additional access using a malicious utility named “rapeflake,” which they track as FROSTBITE.

Although Mandiant has not yet recovered a complete sample of FROSTBITE, the company believes that it is used for reconnaissance against target Snowflake instances. Both .NET and Java versions of FROSTBITE have been observed.

The .NET version interacts with the Snowflake .NET driver, while the Java version interacts with the Snowflake JDBC driver. FROSTBITE has been seen performing SQL reconnaissance activities, including listing users, current roles, current IPs, session IDs, and organization names.

Additionally, Mandiant observed UNC5537 using a publicly available database management utility, DBeaver Ultimate, to connect and run queries across Snowflake instances.