The hacker that managed to break into countless corporate Snowflake accounts and steal the data found inside is still active, researchers are saying. To this day, they are actively trying to extort money out of the victims of the attack that happened months ago.
This is according to Mandiant’s senior threat analyst Austin Larsen, Cyberscoop reports. Larsen spoke during SentinelOne’s LABScon security conference that took place last week and shared the news on the progress of the investigation. Mandiant was the company that Snowflake brought in to investigate the incident this spring, when it was first spotted.
Back then, Mandiant said it was tracking the crook under the moniker UNC5537, but since then they said they go by either “Judische”, or “Waifu”. They are actively targeting software-as-a-service (SaaS) organizations, and the newest incident happened “as recently as today,” Larsen said.
Brute-force
In April this year, a threat actor mounted a brute-force attack against the cloud storage service provider Snowflake, since many of its customers were not using multi-factor authentication (MFA). They successfully broke into many organizations, including Santander Bank, Ticketmaster, and many others. Initially, it was thought that at least 165 organizations were compromised. However, Larsen now believes mere “dozens” of firms were affected.
Mandiant “obtained a series of private communications in which we were able to identify [Judische and associates] essentially coordinating and planning a lot of the Snowflake activity, in some cases, even telling the IP address that they’re dumping logs to,” Cyberscoop cited Larsen.
The group allegedly extorted between $2 million and $2.7 million, and continues to strike organizations to this day.
The identity of the attacker is unknown, but the truth is slowly unraveling. Both Mandiant and cybersecurity journalist Brian Krebs believe the hacker is a 26-year-old software engineer located in Ontario, Canada.
Via Cyberscoop
More from TechRadar Pro
- Hundreds of Snowflake customers may have been hit by breach that stole "significant" data
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now