{
	"id": "dd273d62-4a7a-43cf-b6c2-cf769b3a4088",
	"created_at": "2026-04-06T00:09:16.465895Z",
	"updated_at": "2026-04-10T03:31:41.944839Z",
	"deleted_at": null,
	"sha1_hash": "8f81a5c1abb37ef5db0a577443d7879ea2ef449c",
	"title": "UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 350896,
	"plain_text": "UNC5537 Targets Snowflake Customer Instances for Data Theft\r\nand Extortion\r\nBy Mandiant\r\nPublished: 2024-06-10 · Archived: 2026-04-05 13:14:56 UTC\r\nUPDATE (June 17): We have released our Snowflake threat hunting guide, which contains guidance and queries\r\nfor detecting abnormal and malicious activity across Snowflake customer database instances. Default retention\r\npolicies for the relevant views enable threat hunting across the past 1 year (365 days).\r\nIntroduction\r\nThrough the course of our incident response engagements and threat intelligence collections, Mandiant has\r\nidentified a threat campaign targeting Snowflake customer database instances with the intent of data theft and\r\nextortion. Snowflake is a multi-cloud data warehousing platform used to store and analyze large amounts of\r\nstructured and unstructured data. Mandiant tracks this cluster of activity as UNC5537, a financially motivated\r\nthreat actor suspected to have stolen a significant volume of records from Snowflake customer environments.\r\nUNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials,\r\nadvertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.\r\nMandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer\r\naccounts stemmed from a breach of Snowflake's enterprise environment. Instead, every incident Mandiant\r\nresponded to associated with this campaign was traced back to compromised customer credentials.\r\nIn April 2024, Mandiant received threat intelligence on database records that were subsequently determined to\r\nhave originated from a victim’s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to\r\ninvestigate suspected data theft involving their Snowflake instance. During this investigation, Mandiant\r\ndetermined that the organization’s Snowflake instance had been compromised by a threat actor using credentials\r\npreviously stolen via infostealer malware. The threat actor used these stolen credentials to access the customer’s\r\nSnowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not\r\nhave multi-factor authentication (MFA) enabled.\r\nOn May 22, 2024 upon obtaining additional intelligence identifying a broader campaign targeting additional\r\nSnowflake customer instances, Mandiant immediately contacted Snowflake and began notifying potential victims\r\nthrough our Victim Notification Program. To date, Mandiant and Snowflake have notified approximately 165\r\npotentially exposed organizations. Snowflake’s Customer Support has been directly engaged with these customers\r\nto ensure the safety of their accounts and data. Mandiant and Snowflake have been conducting a joint\r\ninvestigation into this ongoing threat campaign and coordinating with relevant law enforcement agencies. On May\r\n30, 2024, Snowflake published detailed detection and hardening guidance to Snowflake customers.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion\r\nPage 1 of 7\n\nCampaign Overview\r\nBased on our investigations to date, UNC5537 obtained access to multiple organizations’ Snowflake customer\r\ninstances via stolen customer credentials. These credentials were primarily obtained from multiple infostealer\r\nmalware campaigns that infected non-Snowflake owned systems. This allowed the threat actor to gain access to\r\nthe affected customer accounts and led to the export of a significant volume of customer data from the respective\r\nSnowflake customer instances. The threat actor has subsequently begun to extort many of the victims directly and\r\nis actively attempting to sell the stolen customer data on recognized cybercriminal forums.\r\nMandiant identified that the majority of the credentials used by UNC5537 were available from historical\r\ninfostealer infections, some of which dated as far back as 2020.\r\nThe threat campaign conducted by UNC5537 has resulted in numerous successful compromises due to three\r\nprimary factors:\r\n1. The impacted accounts were not configured with multi-factor authentication enabled, meaning successful\r\nauthentication only required a valid username and password.\r\n2. Credentials identified in infostealer malware output were still valid, in some cases years after they were\r\nstolen, and had not been rotated or updated.\r\n3. The impacted Snowflake customer instances did not have network allow lists in place to only allow access\r\nfrom trusted locations.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion\r\nPage 2 of 7\n\nUNC5537 Campaign Timeline \r\nCredential Exposure\r\nMandiant identified that the threat actor used Snowflake customer credentials that were previously exposed via\r\nseveral infostealer malware variants, including; VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA\r\nand METASTEALER. For the organizations that directly engaged Mandiant for incident response services,\r\nMandiant determined the root cause of their Snowflake instance compromise was exposed credentials. Further,\r\naccording to Mandiant and Snowflake’s analysis, at least 79.7% of the accounts leveraged by the threat actor in\r\nthis campaign had prior credential exposure. \r\nThe earliest infostealer infection date observed associated with a credential leveraged by the threat actor dated\r\nback to November 2020. In total, Mandiant identified hundreds of customer Snowflake credentials exposed via\r\ninfostealers since 2020. \r\nStolen credentials pose a serious security risk to organizations and were the fourth most notable initial intrusion\r\nvector in 2023, as 10% of intrusions began with stolen credentials. Attackers often obtain credentials due to\r\npassword reuse or users inadvertently downloading trojanized software on corporate or personal devices. The\r\nprevalence of both widespread infostealer malware and credential purchasing continue to challenge defenders.\r\nContractor Accounts\r\nIn several Snowflake related investigations, Mandiant observed that the initial compromise of infostealer malware\r\noccurred on contractor systems that were also used for personal activities, including gaming and downloads of\r\npirated software. \r\nContractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored\r\nlaptops that exacerbate this initial entry vector. These devices, often used to access the systems of multiple\r\norganizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can\r\nfacilitate threat actor access across multiple organizations, often with IT and administrator-level privileges. \r\nReconnaissance \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion\r\nPage 3 of 7\n\nInitial access to Snowflake customer instances often occurred via the native web-based UI (SnowFlake UI AKA\r\nSnowSight) and/or command-line interface (CLI) tool (SnowSQL) running on Windows Server 2022. Mandiant\r\nidentified additional access leveraging an attacker-named utility, “rapeflake”, which Mandiant tracks as\r\nFROSTBITE. \r\nWhile Mandiant has not yet recovered a complete sample of FROSTBITE, Mandiant assesses FROSTBITE is\r\nused to perform reconnaissance against target Snowflake instances. Mandiant observed usage of both .NET and\r\nJava versions of FROSTBITE. The .NET version interacts with the Snowflake .NET driver. The JAVA version\r\ninteracts with the Snowflake JDBC driver. FROSTBITE has been observed performing SQL recon activities\r\nincluding listing users, current roles, current IPs, session IDs, and organization names. Mandiant also observed\r\nUNC5537 use a publicly available database management utility DBeaver Ultimate to connect and run queries\r\nacross Snowflake instances.\r\nExample FROSTBITE Snowflake Log Entry\r\nDeployment: \u003cREDACTED\u003e | Account ID: \u003cREDACTED\u003e |\r\nAccount Name: \u003cREDACTED\u003e | User Name: \u003cREDACTED\u003e |\r\nClient IP: 45.27.26.205 | Client App ID: PythonConnector 3.10.1 |\r\nClient App Version: 3.10.1 | Client Environment: {\\n \"APPLICATION\":\r\n\"rapeflake\",\\n \"LOGIN_TIMEOUT\": null,\\n \"NETWORK_TIMEOUT\": null,\\n\r\n\"OCSP_MODE\": \"FAIL_OPEN\",\\n \"OS\": \"Darwin\",\\n \"OS_VERSION\":\r\n\"macOS-13.6.7-arm64-arm-64bit\",\\n \"PYTHON_COMPILER\":\r\n\"Clang 14.0.3 (clang-1403.0.22.14.1)\",\\n \"PYTHON_RUNTIME\":\r\n\"CPython\",\\n \"PYTHON_VERSION\": \"3.11.4\",\\n \"SOCKET_TIMEOUT\":\r\nnull,\\n \"TRACING\": 30\\n} (2024/05/31 20:10:13)\r\nExample DBeaver Ultimate Snowflake Log Entry\r\nDeployment Query: Sessions | Deployment: \u003cREDACTED\u003e | Account ID:\r\n\u003cREDACTED\u003e | Account Name: \u003cREDACTED\u003e | User Name: \u003cREDACTED\u003e |\r\nClient IP: 37.19.210.21 | Client App ID: JDBC 3.13.30 | Client App Version:\r\n3.13.30 | Client Environment: {\\n \"APPLICATION\":\r\n\"DBeaver_DBeaverUltimate\",\\n \"JAVA_RUNTIME\": \"Java(TM)\r\nSE Runtime Environment\",\\n \"JAVA_VERSION\": \"17.0.10\",\\n \"JAVA_VM\":\r\n\"Java HotSpot(TM) 64-Bit Server VM\",\\n \"OCSP_MODE\": \"FAIL_OPEN\",\\n\r\n\"OS\": \"Windows Server 2022\",\\n \"OS_VERSION\": \"10.0\",\\n \"account\":\r\n\"\u003cREDACTED\u003e\",\\n \"application\": \"DBeaver_DBeaverUltimate\",\\n \"database\":\r\n\"\u003cREDACTED\u003e\",\\n \"password\": \"****\",\\n \"schema\": \"\u003cREDACTED\u003e\",\\n\r\n\"serverURL\": \"https://\u003cREDACTED\u003e.snowflakecomputing.com:443/\",\\n\r\n\"tracing\": \"INFO\",\\n \"user\": \"\u003cREDACTED\u003e\",\\n \"warehouse\":\r\n\"\u003cREDACTED\u003e\"\\n} (2024/04/14 10:04:10)\r\nComplete Mission\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion\r\nPage 4 of 7\n\nMandiant observed UNC5537 repeatedly executing similar SQL commands across numerous customer Snowflake\r\ninstances to stage and exfiltrate data. The following commands were observed for data staging and exfiltration.\r\nSHOW TABLES\r\nUNC5537 utilized the SHOW TABLES command to perform reconnaissance, listing out all databases and\r\nassociated tables present across the impacted customer environments.\r\nSELECT * FROM \r\nUNC5537 utilized the SELECT command to download individual tables of threat actor interest.\r\nSELECT * FROM \u003cTarget Database\u003e.\u003cTarget Schema\u003e.\u003cTarget Table\u003e\r\nLIST/LS\r\nUNC5537 attempted to enumerate other stages using the LIST command prior to creating temporary stages.\r\nls \u003cinternal or external stage name\u003e\r\nCREATE (TEMP|TEMPORARY) STAGE\r\nUNC5537 created temporary stages for data staging using the CREATE STAGE command. Stages are named\r\ntables that store data files for loading and unloading into database tables. If the stage is identified as temporary on\r\ncreation, the stage is deleted once the creator’s current Snowflake session ends.\r\nCREATE TEMPORARY STAGE \u003cRedacted Database\u003e.\u003cRedacted Schema\u003e.\r\n\u003cRedacted Attacker Stage Name\u003e;\r\nCOPY INTO\r\nUNC5537 utilized the COPY INTO command to copy data into the previously created temporary stages, shown as\r\nfollows. The COPY INTO command can be used to copy information to/from internal stages, external stages tied\r\nto cloud services, and internal Snowflake tables. The threat actor was seen compressing the results as a GZIP file\r\nusing the COMPRESSION parameter to reduce the overall size of data before exfiltration.\r\nCOPY INTO @\u003cAttacker Stage and Path\u003e\r\nFROM (select * FROM \u003cTarget Database\u003e.\u003cTarget Schema\u003e.\u003cTarget Table\u003e )\r\nFILE_FORMAT = (\r\n TYPE='CSV'\r\n COMPRESSION=GZIP\r\n FIELD_DELIMITER=','\r\n ESCAPE=NONE\r\n ESCAPE_UNENCLOSED_FIELD=NONE\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion\r\nPage 5 of 7\n\ndate_format='AUTO'\r\n time_format='AUTO'\r\n timestamp_format='AUTO'\r\n binary_format='UTF-8'\r\n field_optionally_enclosed_by='\"'\r\n null_if=''\r\n EMPTY_FIELD_AS_NULL = FALSE\r\n)\r\noverwrite=TRUE\r\nsingle=FALSE\r\nmax_file_size=5368709120\r\nheader=TRUE;\r\nGET\r\nFinally, UNC5537 utilized the GET command to exfiltrate data from the temporary stages to locally specified\r\ndirectories.\r\nGET @\u003ctarget stage and filepath\u003e file:///\u003cAttacker Local Machine Path\u003e;\r\nUNC5537 Attribution\r\nMandiant has been tracking UNC5537, a financially motivated threat actor, as a distinct cluster since May 2024.\r\nUNC5537 has targeted hundreds of organizations worldwide, and frequently extorts victims for financial gain.\r\nUNC5537 operates under various aliases on Telegram channels and cybercrime forums. Mandiant has identified\r\nmembers having associations to other tracked groups. Mandiant assesses with moderate confidence that UNC5537\r\ncomprises members based in North America, and collaborates with an additional member in Turkey.\r\nAttacker Infrastructure\r\nUNC5537 primarily used Mullvad or Private Internet Access (PIA) VPN IP addresses to access victim Snowflake\r\ninstances. When exfiltrating data, Mandiant observed the use of VPS systems from ALEXHOST SRL\r\n(AS200019), a Moldovan provider. UNC5537 was observed storing stolen victim data on several international\r\nVPS providers as well as the cloud storage provider MEGA.  \r\nOutlook \u0026 Implications\r\nUNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or\r\nsophisticated tool, technique, or procedure. This campaign’s broad impact is the consequence of the growing\r\ninfostealer marketplace and missed opportunities to further secure credentials:\r\nUNC5537 was likely able to aggregate credentials for Snowflake victim instances by accessing a variety of\r\ndifferent sources of infostealer logs. The underground infostealer economy is also extremely robust, and\r\nlarge lists of stolen credentials exist both for free and for purchase inside and outside of the dark web.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion\r\nPage 6 of 7\n\nThe affected customer instances did not require multi-factor authentication and in many cases, the\r\ncredentials had not been rotated for as long as four years. Network allow lists were also not used to limit\r\naccess to trusted locations.\r\nThis campaign highlights the consequences of vast amounts of credentials circulating on the infostealer\r\nmarketplace and may be representative of a specific focus by threat actors on similar SaaS platforms. Mandiant\r\nassesses UNC5537 will continue this pattern of intrusion, targeting additional SaaS platforms in the near future.\r\nThe broad impact of this campaign underscores the urgent need for credential monitoring, the universal\r\nenforcement of MFA and secure authentication, limiting traffic to trusted locations for crown jewels, and alerting\r\non abnormal access attempts. For further recommendations on how to harden Snowflake environments, please see\r\nSnowflake’s Hardening Guide.\r\nIndicators of Compromise (IOCs)\r\nGoogle Threat Intelligence Collection of IPs\r\nA Google Threat Intelligence Collection of IPs is available.\r\nClient Application IDS\r\nRapeflake\r\nDBeaver_DBeaverUltimate\r\nGo 1.1.5\r\nJDBC 3.13.30\r\nJDBC 3.15.0\r\nPythonConnector 2.7.6\r\nSnowSQL 1.2.32\r\nSnowflake UI \r\nSnowsight Al\r\nAdditional IOCs are available in Snowflake’s updated blog post.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion"
	],
	"report_names": [
		"unc5537-snowflake-data-theft-extortion"
	],
	"threat_actors": [
		{
			"id": "358432a9-d927-43c7-9201-b7aa7d184c26",
			"created_at": "2024-06-20T02:02:10.317536Z",
			"updated_at": "2026-04-10T02:00:05.043265Z",
			"deleted_at": null,
			"main_name": "UNC5537",
			"aliases": [],
			"source_name": "ETDA:UNC5537",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c3c24777-7c0f-4772-b273-2163ac5a6b67",
			"created_at": "2024-06-19T02:00:04.373472Z",
			"updated_at": "2026-04-10T02:00:03.651748Z",
			"deleted_at": null,
			"main_name": "UNC5537",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC5537",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434156,
	"ts_updated_at": 1775791901,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8f81a5c1abb37ef5db0a577443d7879ea2ef449c.pdf",
		"text": "https://archive.orkl.eu/8f81a5c1abb37ef5db0a577443d7879ea2ef449c.txt",
		"img": "https://archive.orkl.eu/8f81a5c1abb37ef5db0a577443d7879ea2ef449c.jpg"
	}
}