Full Report
Connor Riley Moucka signed a consent order on Friday in Ontario Superior Court in Kitchener that would allow him to be transferred to U.S. custody to face multiple charges.
Analysis Summary
# Incident Report: Widespread Data Theft via Compromised Snowflake Credentials
## Executive Summary
A widespread cyber campaign in 2024 utilized stolen credentials, dating back to 2020, to access numerous customer accounts stored on the Snowflake data cloud platform, impacting approximately 165 different organizations. The incident was characterized by credential stuffing against Snowflake customer environments, leading to massive data exfiltrations, including sensitive customer data from major entities like AT&T and Ticketmaster. The primary perpetrator, Connor Riley Moucka, was arrested in Canada and subsequently agreed to extradition to the U.S. to face related charges.
## Incident Details
- Discovery Date: May 2024 (Mandiant investigation commencement for Snowflake)
- Incident Date: Occurred throughout 2024, utilizing credentials dating back to 2020.
- Affected Organization: Snowflake (as the platform provider); ~165 downstream customers affected (e.g., AT&T, Ticketmaster, Neiman Marcus, Santander).
- Sector: Technology/Data Warehousing, Telecommunications, Retail, Financial Services.
- Geography: Global impact (Perpetrators linked to North America and Turkey).
## Timeline of Events
### Initial Access
- Date/Time: Credentials active dating back to 2020. Attacks ramped up notably in 2024.
- Vector: Credential stuffing/reuse of credentials stolen previously. The attackers targeted employee accounts on Snowflake customer environments.
- Details: Attackers used "still-valid credentials dating back to 2020" to access customer accounts hosted on Snowflake. Snowflake confirmed no issue with their platform's core security.
### Lateral Movement
- Details: The provided text does not detail intermediate lateral movement within the compromised customer networks, focusing primarily on the initial successful login to the cloud environment credentials.
### Data Exfiltration/Impact
- Details: Approximately 165 companies were breached. Massive volumes of data stolen, including call/text logs for over 100 million AT&T customers and data for about 560 million Ticketmaster users.
### Detection & Response
- Date/Time: May 2024.
- Details: Snowflake hired Mandiant to investigate. Law enforcement action culminated in the arrest of Connor Riley Moucka in Canada in October after U.S. authorities linked him to the activity.
- Response Actions: Snowflake confirmed platform integrity; external investigation launched by Mandiant; law enforcement coordination leading to arrests.
## Attack Methodology
- Initial Access: Stolen/Reused Credentials (Credential Stuffing targeting MFA-protected customer environments, though Mandiant noted successful access suggests bypassed or ineffective MFA for certain accounts).
- Persistence: Not explicitly detailed, but sustained unauthorized access was achieved via valid credentials.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Used valid credentials, potentially leveraging the fact that credentials were old yet still active.
- Credential Access: Stole credentials dating back to 2020, used for the 2024 campaign.
- Discovery: Not explicitly detailed.
- Lateral Movement: Not explicitly detailed beyond access to the cloud storage accounts.
- Collection: Gathering specific, sensitive customer data based on the compromised client environment.
- Exfiltration: Data theft leading to breaches at ~165 victim organizations.
- Impact: Mass data theft and extortion (implied by context of similar campaigns).
## Impact Assessment
- Financial: Not explicitly quantified in the text, but significant costs associated with remediation for 165 clients and potential regulatory fines.
- Data Breach: Massive scale. Included call logs/texts (>100M users at AT&T); user data (>560M users at Ticketmaster); data for customers of Advance Auto Parts, Neiman Marcus, Santander, and LendingTree.
- Operational: Significant disruption and mandatory breach notifications for nearly 165 entities.
- Reputational: High level of alarm globally due to the scale of data compromised via the supply chain cloud provider.
## Indicators of Compromise
- Network indicators: Information related to threat actor infrastructure (UNC5537) not provided in a defanged format.
- File indicators: Not provided.
- Behavioral indicators: Use of valid, legacy credentials to access cloud environments (implying possible neglect of credential rotation policies by customers).
## Response Actions
- Containment measures: Investigation initiated by Snowflake and Mandiant to understand the scope.
- Eradication steps: Credential invalidation/rotation would have been necessary across affected customer base once identified.
- Recovery actions: Legal enforcement action (arrest and extradition) against the alleged lead actor.
## Lessons Learned
- Key takeaways: Legacy credentials that remain active pose a significant, long-term supply chain risk, even if the primary platform vendor (Snowflake) maintains platform integrity. The campaign relied on opportunistic credential reuse/stuffing against customer access points.
- What could have been done better: Downstream customers needed stronger policies regarding credential rotation and/or universally enforced Multi-Factor Authentication (MFA) that could thwart credential stuffing attempts against their Snowflake access points.
## Recommendations
- Prevention measures for similar incidents:
1. Mandate and strictly enforce MFA enforcement across all cloud service access points, regardless of credential age.
2. Implement automated credential rotation policies for all service accounts and employee credentials with regular access to critical data platforms.
3. Regularly audit and cull credentials older than a specific threshold (e.g., 90 or 180 days) if they are still deemed "valid" on services.