ShinyHunters Member Details How They Allegedly Stole Snowflake Customer Data

• A member of the infamous ShinyHunters hacking group revealed how they reportedly stole customer data from Snowflake accounts.
• The story confirms the involvement of third-party contractors and credentials from old breaches.
• The lack of secure authentication methods was also invoked as a free-entry permit into the Snowflake customer accounts.

A member of the ShinyHunters hacker group says the gang gained access to Snowflake accounts belonging to Ticketmaster and others by first breaching a third party, which was a Belarusian-founded contractor that works with those customers, as per Wired.

The hacker said ShinyHunters installed a Remote Access Trojan (RAT) on the computer of an EPAM employee in Ukraine, which was infected with info-stealer malware through a spear-phishing attack. 

The group stole the unencrypted credentials stored on the worker’s machine in the Jira project management tool used for EPAM customers’ Snowflake accounts, including Ticketmaster. For the accounts for which credentials were not found on the compromised computer, the actor used old credentials stolen in previous breaches by hackers using info-stealer malware.

They say they could leverage these credentials to access the Snowflake accounts that didn’t require multifactor authentication (MFA). 

The existence of an online repository of info-stealer-obtained data containing information from the said EPAM worker’s system may prove the story is not fabricated. It includes their browser history and complete name and an internal EPAM URL pointing to Ticketmaster’s Snowflake account.

EPAM, a publicly traded software engineering and digital services company founded by Arkadiy Dobkin, has dismissed the story. However, the company is a high-value Snowflake partner that manages the cloud firm’s analytics platform for its customers, which provides “assistance with using and managing their Snowflake accounts to store and analyze their data.“

Snowflake has said little about these security incidents besides stating that their own systems haven’t been attacked, even though they had previously mentioned a former employee’s “demo” account was compromised. The company says the lack of MFA, previous data breaches, and credentials stolen from info-stealing malware is at fault and that they observed “potentially unauthorized access to certain customer accounts” on May 23, 2024, notifying the affected clients.

However, incident response firm Mandiant has attributed the data theft incident affecting approximately 165 cloud data company Snowflake customers, including Ticketmaster, Santander Bank, LendingTree subsidiary QuoteWizard, Advance Auto Parts, and Pure Storage, to the UNC5537 threat actor. This actor has frequently extorted hundreds of companies worldwide and uses several aliases on Telegram channels and cybercrime forums.

Snowflake user accounts do not have default MFA enabled, and it’s not mandatory. Hackers leveraged leaked credentials of Snowflake customer accounts without MFA that were exposed via several info-stealer malware variants. Mandiant observed the initial compromise of info-stealer malware on contractor systems also used for personal activities, such as gaming and downloading pirated software. 

It is not yet known whether Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM customers.