Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 15:00:25 UTC
 Other threat group: UNC5537
Names UNC5537 (Mandiant)
Country Canada
Motivation Financial gain
First seen 2024
Description
(Mandiant) Through the course of our incident response engagements and threat
intelligence collections, Mandiant has identified a threat campaign targeting Snowflake
customer database instances with the intent of data theft and extortion. Snowflake is a
multi-cloud data warehousing platform used to store and analyze large amounts of
structured and unstructured data. Mandiant tracks this cluster of activity as UNC5537, a
financially motivated threat actor suspected to have stolen a significant volume of
records from Snowflake customer environments. UNC5537 is systematically
compromising Snowflake customer instances using stolen customer credentials,
advertising victim data for sale on cybercrime forums, and attempting to extort many of
the victims.
Mandiant's investigation has not found any evidence to suggest that unauthorized
access to Snowflake customer accounts stemmed from a breach of Snowflake's
enterprise environment. Instead, every incident Mandiant responded to associated with
this campaign was traced back to compromised customer credentials.
Observed
Tools used
Counter operations
Nov 2024
Canadian Suspect Arrested Over Snowflake Customer Breach and
Extortion Attacks
Nov 2024
US indicts Snowflake hackers who extorted $2.5 million from 3 victims
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=469b78ee-1184-44c7-ad9d-4abe1ef60a18
Page 1 of 2

Information
Playbook Last change to this card: 02 March 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=469b78ee-1184-44c7-ad9d-4abe1ef60a18
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=469b78ee-1184-44c7-ad9d-4abe1ef60a18
Page 2 of 2