Mandiant today revealed that at least 165 organizations were targeted by a recent hacking campaign against Snowflake Inc. customers.

The Google LLC unit, which provides breach response services, is working with the cloud data platform provider to notify affected users. Ticketmaster Entertainment LLC and LendingTree Inc., a publicly traded loan provider, are among the affected customers. A recent post on a hacker forum indicates that Advance Auto Parts Inc.’s Snowflake environment may have been breached as well.

According to Mandiant, its researchers are tracking the cybercrime group behind the hacking campaign as UNC5537. The threat actor is believed to be financially motivated. Mandiant detailed that the hackers are breaching Snowflake environments not by exploiting a security flaw in the cloud data platform, but rather using login credentials stolen from customers.

“UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure,” Mandiant’s researchers wrote in a blog post. “This campaign’s broad impact is the consequence of the growing infostealer marketplace and missed opportunities to further secure credentials.”

The Google unit first caught wind of the malicious activity in April. That month, its researchers obtained threat intelligence about stolen database records which  were later traced to an unnamed organization’s Snowflake environment. Mandiant shared its findings with the organization in question, which subsequently hired the Google unit to investigate further.

In May, the incident response provider’s researchers discovered that several other Snowflake customers experienced breaches as well. Mandiant notified Snowflake and the two companies began alerting impacted users. The cloud data platform provider officially disclosed the hacking campaign on May 30.

According to Mandiant, most of the login credentials that UNC5537 used to access Snowflake environments were stolen via “historical infostealer” cyberattacks. Some of those cyberattacks date back as far as 2020. 

Mandiant identified three main reasons the hackers managed to access the targeted Snowflake environments. The affected customers didn’t didn’t refresh their login credentials, didn’t enable multifactor authentication and failed to implement network allow lists. Such lists block login attempts unless they’re made from a location such as a company’s office building. 

“According to Mandiant and Snowflake’s analysis, at least 79.7% of the accounts leveraged by the threat actor in this campaign had prior credential exposure,” the Google unit’s researchers elaborated in today’s blog post.

On Friday, Snowflake issued a statement saying that it’s “developing a plan” for ensuring customers enable multifactor authentication. Additionally, the company has released technical guidance on how organizations can protect their deployments of its platform against hacking attempts.

Opal Security founder and Chief Executive Umaimah Khan told SiliconANGLE that a more proactive approach on MFA is crucial.

“Companies can’t just declare an MFA policy; they must actively govern it with MFA controls on approvers and requesters,” she said. “And MFA alone is not enough to protect against these continuous attacks. Companies must also improve their odds by implementing principles of least privilege to reduce access to data in the first place.”

Image: Snowflake