UNC5537: Threat Actor Targeting Snowflake Databases for Data Theft and Extortion

Learn about UNC5537, the threat actor targeting Snowflake databases with stolen credentials. Discover mitigation steps to protect your data.
TL;DR - A threat actor named UNC5537 has been targeting Snowflake database customers using stolen credentials, leading to data theft and extortion. The attackers exploit environments lacking two-factor authentication. Snowflake has issued security advisories and recommendations to help customers enhance their security.

In a recent wave of cyber attacks, a threat actor known as UNC5537 has been targeting Snowflake database customers using stolen credentials. According to cloud security firm Mitiga, these attacks have led to significant data theft and extortion activities, putting numerous organizations at risk.

Details of the Attack

UNC5537 has been observed utilizing stolen customer credentials to access Snowflake environments, focusing primarily on those lacking two-factor authentication (2FA). The attackers have employed a custom attack tool named "rapeflake" to facilitate these breaches. The threat activity has been traced back to commercial VPN IP addresses, adding a layer of anonymity to the attackers' operations.

Mitiga reported that UNC5537 has not only stolen data but also engaged in direct extortion. The stolen data has been publicly posted for sale on hacker forums, increasing the pressure on the affected organizations to comply with the attackers' demands.

Free Assessment

Investigation and Findings

The initial signs of this campaign were detected following inquiries from multiple Snowflake customers and subsequent threat intelligence reports. Mitiga launched its investigation, uncovering a pattern of attacks that began in mid-April 2024. Although Mitiga did not directly contact Snowflake, they assumed the company was aware of the ongoing campaign.

Snowflake confirmed the unauthorized account access on May 23, 2024, through its incident response team. They noted that the attacks did not result from any vulnerability or misconfiguration within Snowflake's product but were likely due to identity-based attacks leveraging exposed customer credentials.

Protect your organization from the growing threat of UNC5537. Join our exclusive webinar, "Understanding and Combating UNC5537 Threats," on June 7, 2024, at 1:00 PM PST. Learn about the tactics, techniques, and procedures used by this significant threat actor targeting Snowflake databases. Gain insights into threat hunting methods, real-world case studies, and best practices for securing your Snowflake environment.

Apply now to secure your spot in this critical event. Don't miss the opportunity to stay ahead of emerging threats and protect your valuable data.

Mitigation and Response

In response to these incidents, Snowflake has issued a security advisory urging customers to enhance their account security. Key recommendations include:

  • Enforcing Multi-Factor Authentication (MFA): Ensure that all accounts, especially those accessing critical data, are protected by MFA.
  • Reviewing Access Logs: Regularly monitor login attempts and access logs for any unusual activities.
  • Implementing Network Segmentation: Restrict access to Snowflake environments through network segmentation and whitelisting of IP addresses.

Additionally, Snowflake has provided indicators of compromise (IoCs) and investigative queries to help customers identify and respond to potential threats.

Broader Implications

The attacks on Snowflake customers highlight a broader trend of increasing identity-based attacks. These incidents underscore the challenges cloud service providers face in securing customer data and the need for robust security measures. Continuous monitoring, threat hunting, and proactive security practices are essential to mitigate such risks.

Wrapping Up

The UNC5537 threat actor's campaign against Snowflake customers serves as a stark reminder of the importance of robust security measures. Organizations must prioritize the implementation of multi-factor authentication, regular monitoring of access logs, and stringent access controls to protect their data. Proactive threat hunting and continuous vigilance are crucial in staying ahead of potential security threats.


Who is UNC5537 and what are they targeting?
UNC5537 is a threat actor group targeting Snowflake database customers using stolen credentials to conduct data theft and extortion.
What is "rapeflake" and how is it used in the attacks?
"Rapeflake" is a custom attack tool used by UNC5537 to exploit vulnerabilities in Snowflake environments that lack two-factor authentication.
How can organizations protect themselves from similar attacks?
Organizations should enforce multi-factor authentication, monitor access logs, and implement network segmentation to enhance their security.
Why is two-factor authentication crucial for security?
Two-factor authentication provides an additional layer of security, making it significantly harder for attackers to gain unauthorized access using stolen credentials.
What steps has Snowflake taken in response to these attacks?
Snowflake has issued a security advisory with recommendations, provided IoCs, and investigative queries to help customers secure their accounts and detect potential threats.

Never miss an update.

Subscribe for spam-free updates and articles.
Thanks for subscribing!
Oops! Something went wrong while submitting the form.