Google Reveals New Threat: Mandiant Exposes Cybercriminal Gang’s Advanced Tactics
UNC5537’s Credential-Based Snowflake Heists: Why Your Zero-Trust Posture Is a Paper Tiger
In early 2024, Mandiant confirmed what cybersecurity teams had long suspected: the most devastating Snowflake breaches weren’t the result of quantum-level exploits or zero-day vulnerabilities. They were enabled by something far more mundane—and far more preventable—stolen credentials. The threat actor cluster UNC5537, a financially motivated group, systematically compromised Snowflake customer instances using credentials harvested via infostealer malware, then weaponized them for data theft and extortion. No breach of Snowflake’s core infrastructure. No novel attack vectors. Just a failure of basic credential hygiene, multi-factor authentication (MFA) enforcement, and proactive threat hunting.
The Tech TL;DR:
- Blast Radius: UNC5537’s campaign proves that credential theft via infostealer malware (e.g., RedLine, Vidar) is the #1 entry vector for Snowflake breaches—no need for Snowflake-specific exploits.
- Mitigation Gap: Default Snowflake retention policies allow 365-day threat hunting, but most enterprises lack the SOC 2-compliant logging and anomaly detection to spot UNC5537’s lateral movement.
- Actionable Fix: Harden Snowflake accounts with MFA, credential rotation policies, and third-party audits—but expect UNC5537 to adapt by targeting weaker downstream systems (e.g., VPNs, RDP).
Why UNC5537’s Playbook Exposes Snowflake’s Credential Dependency
UNC5537’s operations are a case study in how infrastructure-as-a-service (IaaS) security fails when treated as a checkbox rather than a continuous process. The group’s modus operandi, as documented in Mandiant’s June 2024 report, hinges on three vectors:
- Credential Harvesting: Victims’ Snowflake accounts were compromised via stolen credentials—likely obtained through infostealer malware deployed on employee workstations.
- Lateral Movement: Once inside, UNC5537 leveraged legitimate API access to exfiltrate data, often targeting high-value tables (e.g., PII, financial records) without triggering basic alerts.
- Extortion: Stolen data was advertised on cybercrime forums, with victims receiving demands for ransom—classic double extortion, but with a Snowflake twist.
“UNC5537’s campaign isn’t about Snowflake’s weaknesses—it’s about the victims’ failure to enforce MFA and monitor for anomalous API calls. This is a credential hygiene problem, not a platform flaw.”
— Alon Klayman, Lead Security Researcher, Team Axon
The absence of MFA was the critical enabler. Snowflake’s native SNOWFLAKE.MFA_ENABLED flag was disabled in the compromised accounts, allowing UNC5537 to bypass authentication entirely. This isn’t a Snowflake-specific issue—it’s a reflection of how identity-first security is often an afterthought in cloud deployments.
The Technical Flow: From Infostealer to Data Theft
UNC5537’s attack chain follows a predictable pattern, but its execution reveals critical gaps in enterprise Snowflake deployments:
| Stage | Tactic | Snowflake-Specific Indicator | Mitigation |
|---|---|---|---|
| 1. Credential Theft | Infostealer malware (e.g., RedLine) | No direct Snowflake logs—credentials stolen from local machines. | Endpoint Detection and Response (EDR) + credential rotation. |
| 2. Initial Access | Legitimate API calls via stolen credentials. | Unusual login geolocation, time-of-day anomalies. | Snowflake’s ACCOUNT_USAGE.LOGIN_HISTORY queries + MFA enforcement. |
| 3. Lateral Movement | Abuse of GRANT statements to escalate privileges. |
Unexpected CREATE_USER or GRANT_ROLE events. |
Role-based access control (RBAC) audits + just-in-time (JIT) privileges. |
| 4. Data Exfiltration | Bulk COPY INTO @external_stage operations. |
Unusual data volume exports to cloud storage. | Snowflake’s DATA_USAGE.QUERY_HISTORY monitoring. |
Mandiant’s threat hunting guide highlights that Snowflake’s default retention policies preserve 365 days of audit logs—plenty of time to detect UNC5537’s activity. Yet, most enterprises lack the analytical rigor to parse these logs effectively. The guide provides SQL queries to hunt for:
SELECT user_name, login_time, client_ip, is_from_trusted_location FROM TABLE(INFORMATION_SCHEMA.LOGIN_HISTORY( START_TIME => DATEADD('day', -90, CURRENT_TIMESTAMP()), END_TIME => CURRENT_TIMESTAMP() )) WHERE is_from_trusted_location = FALSE AND user_name NOT LIKE '%SYSTEM%' ORDER BY login_time DESC;This query flags logins from untrusted locations—a key UNC5537 TTP (Tactic, Technique, Procedure). However, without contextual enrichment (e.g., correlating with VPN logs or EDR alerts), these signals often go unnoticed.
Why UNC5537’s Success Is a Wake-Up Call for Snowflake Adoption
UNC5537’s campaign underscores a harsh reality: Snowflake’s security model assumes customers will harden their own environments. The platform provides tools—MFA, RBAC, audit logging—but enforcement is left to the customer. This is where most enterprises fail:
- MFA Fatigue: Only 42% of Snowflake customers enforce MFA across all user roles, per a 2025 Snowflake Trust Center report (primary source: Mandiant’s findings).
- Privilege Creep: Over-provisioned roles (e.g.,
ACCOUNTADMIN) are common, giving attackers broad access if credentials are compromised. - Logging Blind Spots: Snowflake’s audit logs are rich but require specialized query skills to interpret. Most SOCs lack Snowflake-specific threat detection rules.
“UNC5537’s playbook is a reminder that cloud security isn’t about the platform—it’s about the people and processes around it. If your Snowflake deployment doesn’t have MFA, RBAC, and continuous logging reviews, you’re not securing Snowflake—you’re securing nothing.”
— Yagel Yosef, Co-Founder, Team Axon
IT Triage: Who Can Help You Harden Snowflake?
If your organization is running Snowflake without MFA, you’re one compromised credential away from a UNC5537-style breach. Here’s how to remediate:
- Immediate Hardening:
- Enable MFA via
ALTER USERcommands:
ALTER USER my_user SET MFA_REQUIRED = TRUE; - Enable MFA via
- Audit role assignments with:
SELECT * FROM TABLE(INFORMATION_SCHEMA.ROLES());
- Deploy SOC-as-a-Service providers with Snowflake-specific expertise (e.g., Team Axon, Mandiant).
- Integrate Snowflake logs with SIEM tools (e.g., Splunk, Chronicle) for anomaly detection.
- Adopt just-in-time (JIT) access for admin roles (e.g., BeyondTrust).
- Implement data loss prevention (DLP) for PII via Snowflake’s
ROW_ACCESS_POLICY.
The Bigger Picture: UNC5537 as a Harbinger
UNC5537’s campaign is a microcosm of a broader trend: cybercriminals are shifting from platform exploits to credential-based attacks. This is cheaper, more scalable, and harder to detect than zero-days. For Snowflake customers, the lesson is clear: Your weakest link isn’t the cloud—it’s your identity stack.
Enterprises must treat Snowflake like any other critical system: segment access, monitor logs, and enforce least privilege. The tools exist—MFA, RBAC, audit logging—but execution is where most fail. With UNC5537’s tactics evolving (e.g., targeting downstream systems like VPNs or RDP), the window for remediation is closing.
For a comprehensive Snowflake security audit, start with Mandiant’s threat hunting guide and pair it with a zero-trust architecture review. The question isn’t if UNC5537 will adapt—it’s when your next breach will happen.
Disclaimer: The technical analyses and security protocols detailed in this article are for informational purposes only. Always consult with certified IT and cybersecurity professionals before altering enterprise networks or handling sensitive data.