Mandiant disclosed on Monday the 10th of June a sustained credential-driven mass campaign against Snowflake customer cloud-tenant environments, attributed to a threat actor cluster they are tracking as UNC5537 (Mandiant blog post on UNC5537 / Snowflake campaign, June 10). The campaign, on Mandiant's preliminary analysis, has affected approximately 165 customer organisations and has produced sustained data-exfiltration and extortion activity through the period. The disclosure cycles for individual affected customers have been continuous through May and into June — Ticketmaster (parent Live Nation, ~560 million customer records), Santander (~30 million customer records), Advance Auto Parts, AT&T (call-record metadata for ~110 million customers), and several others.
The technical pattern. The campaign uses credentials harvested from various sources — predominantly from infostealer malware that has, over years of compromise of individual workstations, accumulated substantial credential corpora — against Snowflake customer-tenant administrative interfaces. The compromised credentials have been, on the documented cases, accounts that did not have multi-factor authentication enrolled on the Snowflake-tenant authentication path. The post-authentication activity is data-exfiltration from the customer-organisation Snowflake-tenant data warehouses, typically followed by extortion demands. Snowflake-side infrastructure is not, on Mandiant's analysis, compromised; the campaign exploits the customer-organisation MFA-coverage gaps in cloud-tenant-administrative access.
The MFA-not-enrolled finding is the structural concern. The Snowflake-affecting cases follow the same pattern that Change Healthcare in February demonstrated — a substantial customer-organisation cloud-tenant access path without MFA enrolment, exploited through credential-driven access. The post-Change-Healthcare customer-portfolio audit work that I noted in the March writing has been continuous through Q2 and has been validated by the Snowflake situation. The customer-organisation programme work to ensure comprehensive MFA-enrolment-coverage across all customer-organisation access paths — particularly the cloud-tenant administrative interfaces that have, on the running pattern, often been excluded from the standard MFA-rollout-programme scope — continues.
For the customer-portfolio response. The audit cycle on customer-organisation Snowflake usage produced two findings — the manufacturer's analytics function uses Snowflake for one of its overseas business units, and the financial-services firm has a Snowflake deployment for a customer-data-analytics workload. Both customer-organisations had MFA enrolled on the Snowflake-tenant administrative access; the audit-and-verification work confirmed clean posture. The wider customer-portfolio cloud-tenant-MFA-coverage audit has continued the work that the Change Healthcare case catalysed.
The infostealer-malware-and-credential-corpus question is the broader operational concern. The credential corpora that the UNC5537 cluster (and many other operator clusters) operates against are, on the public-research evidence, substantial and growing. The infostealer ecosystem — Lumma, RedLine, Vidar, and others — has been operationally active for years and has produced, in aggregate, credential corpora measured in tens of millions of unique credentials. The customer-organisation defensive posture against this category requires comprehensive MFA-coverage on every authenticated access path, plus credential-monitoring against published-corpora identification, plus phishing-resistant MFA where the access-path is sufficiently sensitive to justify the operational investment.
The wider strategic point about cloud-tenant security in 2024. The post-Storm-0558 (cloud-provider-side compromise), post-Okta-support (vendor-tooling-side compromise), post-Snowflake/UNC5537 (customer-tenant-credential-side compromise) sequence demonstrates the multi-dimensional cloud-security risk that customer-organisation programme work needs to address. The Snowflake-specific dimension — customer-tenant access paths without MFA enrolment — is operationally the simplest to remediate and the most pervasive across the wider customer-organisation cloud-deployment landscape. The customer-portfolio briefings continue to push for comprehensive MFA-coverage as the substantive answer.
I will return to this. The Snowflake situation will continue to develop and the broader cloud-tenant-credential-driven attack pattern will continue.