Snowflake hacker still active and finding new victims, expert says

A hacker responsible for a cybercrime campaign that affected up to 165 companies this summer is still at large and has recently broken into a “handful” of new organizations, according to a cybersecurity specialist at Alphabet’s Google Inc.

The attacker, who previously stole data from customers of cloud analytics company Snowflake Inc., has since targeted U.S. firms and compromised critical infrastructure organizations based in Russia and Bangladesh, according to Austin Larsen, a senior threat analyst at Google who has been investigating the campaign for months. .

U.S. victims are in the health, technology and telecommunications industries, Larsen said.

Related: Hacker Says AT&T Paid About $400,000 to Delete Sensitive Data

That such a prolific hacker has eluded law enforcement despite bragging about attacks on journalists and security researchers in recent months exemplifies the challenge cross-border cybercrime poses to law enforcement due to the anonymization of communications services and a booming criminal market of stolen credentials.

An analysis of the hacker’s online interactions indicated he was likely a 20-year-old man from Canada who displayed Nazi sympathies, Larsen said. He declined to identify the hacker by name or say whether their identity had been passed on to law enforcement.

The hacker recently shared screenshots of records stolen from critical infrastructure companies in Russia and Bangladesh on Telegram, including sensitive customer data, Larsen said. Some intrusions are underway, he added.

Related: Hackers demand up to $5 million from Snowflake customers

The attacker gained access to the victims’ organizations by logging into internet-based portals or login services using stolen passwords purchased from the dark web. The hacker, who Larsen said may be working with others, has a “huge amount of stolen credentials” of at least hundreds of thousands from numerous organizations around the world. Once inside, they could steal data and blackmail victims, Larsen warned.

“The actor continues to cause harm, compromise other companies and extort, in some cases,” Larsen said.

In June and July, companies such as AT&T Inc., Live Nation Entertainment Inc. and Advanced Auto Parts Inc. revealed that they were affected as part of a campaign in which a hacker stole personal data about millions of people. The cybercrime campaign occurred after a hacker broke into poorly configured Snowflake systems to access sensitive data.

The hacker is no longer targeting data related to Snowflake, but is exploiting tools from another software vendor, which Larsen declined to name.

Larsen presented his findings Friday at the LABScon cyber conference in Arizona.

In June, a person claiming to be the same hacker — and using a pseudonym verified by Larsen — told Bloomberg News in an online chat that he expected to be paid $20 million for the full suite of Snowflake customer data . There is no evidence to suggest that anyone bought the set. At one point, the hacker made the mistake of posting a video that revealed a technical infrastructure, which Mandiant, a cyber unit of Google Cloud, used to identify them, Larsen said.

Top photo: A computer mouse Photographer: Andrey Rudakov/Bloomberg.

Copyright 2024 Bloomberg.