Full Report
A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake. On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first reported Moucka's alleged ties to the Snowflake hacks on Monday. At the end of 2023, malicious hackers learned that many large companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with little more than a username and password (no multi-factor authentication required). After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories used by some of the world’s largest corporations.
Analysis Summary
# Incident Report: Widespread Snowflake Customer Extortion and Data Theft by UNC5537
## Executive Summary
A widespread extortion and data theft campaign orchestrated by the threat group UNC5537 targeted over 160 organizations using the cloud data platform Snowflake. Attackers exploited weak authentication (username/password only) on customer instances to steal sensitive data, followed by ransom demands. The operation culminated in the December 2024 arrest of alleged key member Alexander Moucka (aka Judische/Connor Riley Moucka) in Canada under a US warrant, revealing links between this cybercrime and extremist activities.
## Incident Details
- Discovery Date: Initial claims surfaced around May 2, 2024 (Santander Bank claim). Widespread impact recognized thereafter, highlighted by Mandiant reports.
- Incident Date: Campaign active from late 2023/early 2024, with systematic exploitation noted beginning April 2024.
- Affected Organization: Over 160 Snowflake customer organizations, including AT&T, TicketMaster, Lending Tree, Advance Auto Parts, and Neiman Marcus.
- Sector: Cross-sector, heavily impacting telecommunications and retail/financial services.
- Geography: Global impact, with primary actors linked to North America (Moucka, Binns).
## Timeline of Events
### Initial Access
- Date/Time: Throughout late 2023 and early 2024, systematic compromise began around April 2024.
- Vector: Compromised Snowflake customer accounts protected only by username and password (lack of MFA).
- Details: Attackers acquired credentials via darknet market browsing from previously stolen credential sets.
### Lateral Movement
- Details: The article focuses primarily on data access within the Snowflake repositories rather than internal network lateral movement, suggesting the primary compromise was focused on the specific cloud database instances.
### Data Exfiltration/Impact
- Details: Large volumes of sensitive customer data were stolen from over 160 victim companies. Specific impacts include the theft of personal information and phone/text message records for nearly 110 million AT&T customers. Attackers demanded ransom from victims to prevent data leakage/sale.
### Detection & Response
- Detection: Victims were privately approached by hackers demanding ransom. Public awareness and investigation efforts amplified by firms like Mandiant and investigative journalism.
- Response Actions: AT&T reportedly paid $370,000 to one hacker to delete stolen records. Law enforcement agencies (US DOJ, Canadian authorities) launched investigations culminating in arrests.
## Attack Methodology
- Initial Access: Exploitation of misconfigured SaaS instances (Snowflake) using readily available username/password credentials obtained from darknet markets.
- Persistence: Not explicitly detailed, but implied maintenance of access to exfiltrate data volumes.
- Privilege Escalation: Not explicitly detailed in the context of the initial cloud access vector.
- Defense Evasion: Leveraging stolen credentials to bypass basic perimeter defenses for cloud storage.
- Credential Access: Acquisition of credentials from external sources (darknet markets).
- Discovery: Unknown specific command execution within Snowflake; general organizational reconnaissance performed by the associated group (UNC5537).
- Lateral Movement: Focused access within the compromised Snowflake instances.
- Collection: Gathering huge volumes of sensitive customer data from victim repositories.
- Exfiltration: Implied process to remove collected data from the cloud environment.
- Impact: Data extortion (ransom demands) and potential public data leakage/sale (sometimes outsourced to threat actors like Kiberphant0m).
## Impact Assessment
- Financial: AT&T paid $370,000 in one instance to facilitate data deletion. Extortion demands were made across 160+ companies.
- Data Breach: Personal information, phone records, and SMS records for nearly 110 million AT&T customers. Data stolen from TicketMaster, Lending Tree, Advance Auto Parts, Neiman Marcus, and Santander Bank, among others.
- Operational: Significant data loss and business disruption due to extortion and public disclosure/investigation.
- Reputational: Significant damage to the reputation of affected organizations and the security perception of the Snowflake platform itself.
## Indicators of Compromise
- Network indicators: (None provided, URLs/IPs defanged)
- File indicators: (None provided)
- Behavioral indicators: Prolific extortion attempts against large organizations; use of handles like 'Judische' and 'Waifu'; communication via Telegram channel 'Star Chat'.
## Response Actions
- Containment measures: Not detailed, likely involved immediate credential rotation and securing all Snowflake configurations against unauthenticated access.
- Eradication steps: Not detailed, likely involving remediation of compromised environments and assessment of broader UNC5537 access if any.
- Recovery actions: Affected organizations began recovery following data disclosure and extortion attempts. Authorities proceeded with arrests and indictments.
## Lessons Learned
- Cloud Configuration Risk: A high number of organizations relied solely on simple username/password authentication for storing massive volumes of sensitive data in cloud services like Snowflake.
- Scale of Individual Harm: A single threat actor (Moucka/Judische) demonstrated the capacity to cause significant, systemic harm across numerous large corporations in 2024.
- Misinformation/Harassment: The threat actor group demonstrated willingness to engage in secondary harassment, including creating deepfakes and issuing death threats against security researchers (e.g., Allison Nixon).
## Recommendations
- Mandatory Multi-Factor Authentication (MFA): Immediately enforce MFA across all access points to cloud data services (like Snowflake) and critical enterprise applications.
- Cloud Security Posture Management (CSPM): Implement rigorous auditing to ensure no sensitive data repositories are accessible with weak credentials or misconfigurations.
- Vendor Security Assessment: Re-evaluate security controls provided by third-party data platforms, especially around default access controls.