The number of companies facing ransom payments for data stolen in a campaign targeting Snowflake Inc. users is believed to be as many 10 as a hacker claims to have gained access by compromising a third-party contractor.

The hacking campaign targeting Snowflake users first came to light in late May when a claimed 560 million records stolen from Ticketmaster Entertainment appeared for sale on the Breach Forums hacking site. This was then followed by data being offered for sale from U.S. auto parts provider Advance Auto Parts Inc. on June 6.

The commonality between the two was they were both Snowflake customers. Snowflake said the data was not stolen as a result of a breach of its platform but had instead targeted users who did not have multifactor authentication in place. Snowflake also noted that the threat actor appeared to be leveraging credentials previously purchased or obtained through information-stealing malware.

A subsequent report from Google LLC’s Mandiant on June 10 found that at least 165 organizations were targeted in the hacking campaign.

Today Austin Larsen, a senior threat analyst at Mandiant, told Bloomberg that as many as 10 companies breached in the campaign had received demands for payments of between $300,000 and $5 million to those behind the hacks not to publish stolen data. Mandiant is also attributing the attack to a group it calls UNC5537.

As Mandiant was sharing data on the extent of the extortion attempts against victims, the hacker or hacking group known as ShinyHunters, which has claimed responsibility for the attacks, told Wired that it obtained access by first breaching a Belarusian-founded contractor that works with the breached customers.

The alleged attack path is said to have involved ShinyHunters compromising a company called EPAM Systems Inc., a New York Stock Exchange-listed company with a market cap of $10.11 billion as of the close of regular trading today. EPAM specializes in software engineering services, digital platform engineering and digital product design.

ShinyHunters alleges that it used data found on EPAM employee systems to gain access to some of the Snowflake accounts. EPAM denies the allegation, claiming that the hacker fabricated the tale.

Whether or not the claim is true, it’s at least a large coincidence that one of EPAM’s main product offerings is helping customers use and manage their Snowflake accounts, since it would have access to those accounts by the very nature of the offering to its customers. Another glaring coincidence: Two of EPAM’s major customers are Ticketmaster and Advance Auto Parts, the very same companies that were first known to have been hacked in the attacks on Snowflake customers.

Image: Pixabay