ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > UNC5537

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: UNC5537

NamesUNC5537 (Mandiant)
Country[Unknown]
MotivationFinancial gain
First seen2024
Description(Mandiant) Through the course of our incident response engagements and threat intelligence collections, Mandiant has identified a threat campaign targeting Snowflake customer database instances with the intent of data theft and extortion. Snowflake is a multi-cloud data warehousing platform used to store and analyze large amounts of structured and unstructured data. Mandiant tracks this cluster of activity as UNC5537, a financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments. UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.

Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.
Observed
Tools used
Information<https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion>
<https://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack/>
Playbook<https://services.google.com/fh/files/misc/snowflake-threat-hunting-guide.pdf>

Last change to this card: 19 June 2024

Download this actor card in PDF or JSON format

Previous: UNC1878
Next: [Vault 7/8]

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]