• Snowflake clarified that the data was not taken due to a breach of its platform but rather targeted users who had not implemented multifactor authentication.
  • ShinyHunters utilized data discovered on EPAM employee systems to access certain Snowflake accounts.

Up to 10 companies are facing ransom demands for a data breach in a campaign targeting Snowflake Inc. users, with claims that a hacker gained access through compromising a third-party contractor.

The hacking campaign targeting Snowflake users was first revealed in late May when 560 million records purportedly stolen from Ticketmaster Entertainment appeared for sale on the Breach Forums hacking site. Subsequently, on June 6, data from U.S. auto parts provider Advance Auto Parts Inc. was also offered for sale.

The link between the two incidents is that both companies were Snowflake customers. Snowflake clarified that the data was not stolen due to a breach of its platform but targeted users who lacked multifactor authentication. Additionally, Snowflake noted that the threat actor seemed to be using credentials previously acquired through information-stealing malware or purchased.

A report from Google LLC’s Mandiant on June 10 revealed that at least 165 organizations were targeted in the hacking campaign.

Recently, Austin Larsen, a Senior Threat Analyst at Mandiant, informed a leading media outlet that up to 10 companies breached in the campaign had received ransom demands ranging from USD 300,000 to USD 5 million to prevent the publication of stolen data. Mandiant attributes the attack to a group known as UNC5537.

While Mandiant was detailing the extent of the extortion attempts against victims, the hacker group ShinyHunters, which claimed responsibility for the attacks, informed a leading publication that they gained access by initially breaching a Belarusian-founded contractor working with the compromised customers.

The purported attack route involved ShinyHunters compromising EPAM Systems Inc., a company listed on the New York Stock Exchange with a market cap of USD 10.11 billion as of the close of regular trading. EPAM specializes in digital platform engineering, software engineering services, and digital product design.

ShinyHunters claims they used data obtained from EPAM employee systems to access certain Snowflake accounts. However, EPAM denies this accusation, stating that the hacker fabricated the story.

Regardless of the validity of the claim, it is notable that EPAM’s primary service involves assisting customers in using and managing their Snowflake accounts, potentially granting access to those accounts by the nature of its offerings. Additionally, it is striking that EPAM counts Ticketmaster and Advance Auto Parts among its major clients, the same companies initially targeted in the attacks on Snowflake customers.