Suspect Behind Snowflake Data-Theft Attacks Arrested in Canada
Summary:
Canadian authorities have detained Alexander "Connor" Moucka in connection with an extensive data breach campaign that compromised sensitive information from hundreds of millions of individuals. Moucka is suspected of orchestrating attacks on over 165 companies, all Snowflake cloud storage clients. His arrest on October 30, 2024, followed a provisional request from the United States, where he faces charges. After appearing briefly in court, his case was rescheduled for November 5, 2024, as confirmed by the Canadian Department of Justice, which cited the sensitive nature of state-to-state extradition requests.
The breaches stemmed from a concerted investigation by Snowflake, Mandiant, and CrowdStrike, which traced the intrusions to a threat actor, identified as UNC5537, who exploited weak security configurations across multiple Snowflake accounts. According to the investigation, UNC5537 leveraged stolen credentials obtained through infostealer malware to infiltrate accounts lacking multi-factor authentication, a lapse that facilitated unauthorized access. This specific attack vector proved to be highly effective due to inadequate MFA protections on many accounts, allowing UNC5537 to target customer data across a range of industries.
Security Officer Comments:
The breaches began surfacing in April 2024. In May, Ticketmaster disclosed that data tied to 560 million customers was accessed and stolen from its Snowflake account, allegedly by ShinyHunters, a known cybercriminal group. Following this, in July, AT&T confirmed a breach in its Snowflake account, impacting the call logs of approximately 109 million mobile customers. The data, accessible on an online database from April 14 to April 25, 2024, included sensitive information and call metadata, raising concerns about data privacy and security practices within cloud-based environments. In light of these incidents, Snowflake announced new security policies aimed at mitigating similar risks in the future. Effective October 2024, all new Snowflake accounts are required to implement multi-factor authentication by default, along with a minimum password length of 14 characters. Snowflake’s commitment to enhancing security for its client base signals a broader industry push to ensure cloud storage integrity.
Link(s):
https://www.bleepingcomputer.com/ne...wflake-data-theft-attacks-arrested-in-canada/
Canadian authorities have detained Alexander "Connor" Moucka in connection with an extensive data breach campaign that compromised sensitive information from hundreds of millions of individuals. Moucka is suspected of orchestrating attacks on over 165 companies, all Snowflake cloud storage clients. His arrest on October 30, 2024, followed a provisional request from the United States, where he faces charges. After appearing briefly in court, his case was rescheduled for November 5, 2024, as confirmed by the Canadian Department of Justice, which cited the sensitive nature of state-to-state extradition requests.
The breaches stemmed from a concerted investigation by Snowflake, Mandiant, and CrowdStrike, which traced the intrusions to a threat actor, identified as UNC5537, who exploited weak security configurations across multiple Snowflake accounts. According to the investigation, UNC5537 leveraged stolen credentials obtained through infostealer malware to infiltrate accounts lacking multi-factor authentication, a lapse that facilitated unauthorized access. This specific attack vector proved to be highly effective due to inadequate MFA protections on many accounts, allowing UNC5537 to target customer data across a range of industries.
Security Officer Comments:
The breaches began surfacing in April 2024. In May, Ticketmaster disclosed that data tied to 560 million customers was accessed and stolen from its Snowflake account, allegedly by ShinyHunters, a known cybercriminal group. Following this, in July, AT&T confirmed a breach in its Snowflake account, impacting the call logs of approximately 109 million mobile customers. The data, accessible on an online database from April 14 to April 25, 2024, included sensitive information and call metadata, raising concerns about data privacy and security practices within cloud-based environments. In light of these incidents, Snowflake announced new security policies aimed at mitigating similar risks in the future. Effective October 2024, all new Snowflake accounts are required to implement multi-factor authentication by default, along with a minimum password length of 14 characters. Snowflake’s commitment to enhancing security for its client base signals a broader industry push to ensure cloud storage integrity.
Link(s):
https://www.bleepingcomputer.com/ne...wflake-data-theft-attacks-arrested-in-canada/