UNC5537 – Threat Actor

Overview

UNC5537 has only recently been formally identified and tracked by Mandiant, thus appearing solely in Mandiant’s taxonomy for the time being. This financially motivated threat actor, unrelated to any nation state, has targeted hundreds of organizations globally. Its members are primarily located in North America, with one confirmed collaborator traced to Turkey, and potential associations with other groups. Operating under various aliases, they coordinate through Telegram channels and cybercrime forums, mainly accessing victim instances using Mullvad or Private Internet Access (PIA) virtual private network (VPN) IP addresses. Stolen data is transmitted through virtual private servers (VPS) provided by Alexhost, based in Moldova, and stored on systems of several other VPS providers, as well as the cloud-storage provider Mega. Mandiant notes that UNC5537’s campaign lacks novelty or sophistication. Its broad impact primarily results from the increasing use of infostealers, coupled with missed opportunities by victims to secure themselves.

Common targets

Multi-industry companies worldwide

Attack Vectors

Compromised credentials

How they operate

Initial access to Snowflake customer instances often occurred via the native web-based UI (Snowflake UI, also known as SnowSight) and the command-line interface (CLI) tool (SnowSQL) running on Windows Server 2022. Mandiant identified additional access methods involving a utility named “rapeflake,” which Mandiant tracks as FROSTBITE. Both .NET and Java versions of FROSTBITE have been observed. The .NET version interacts with the Snowflake .NET driver, while the Java version interacts with the Snowflake JDBC driver. FROSTBITE has been seen performing SQL reconnaissance activities, including listing users, current roles, current IPs, session IDs, and organization names. Mandiant also observed UNC5537 using a publicly available database management utility, DBeaver Ultimate, to connect to and run queries across Snowflake instances. Mandiant observed UNC5537 repeatedly executing similar SQL commands across numerous customer Snowflake instances to stage and exfiltrate data. The following commands were observed for data staging and exfiltration: SHOW TABLES UNC5537 utilized the SHOW TABLES command to perform reconnaissance, listing all databases and associated tables present across the impacted customer environments. SELECT * FROM UNC5537 used the SELECT command to download individual tables of interest to the threat actor. LIST/LS UNC5537 attempted to enumerate other stages using the LIST command before creating temporary stages. CREATE (TEMP|TEMPORARY) STAGE UNC5537 created temporary stages for data staging using the CREATE STAGE command. Stages are named tables that store data files for loading and unloading into database tables. If the stage is identified as temporary upon creation, it is deleted once the creator’s current Snowflake session ends. COPY INTO UNC5537 used the COPY INTO command to copy data into the previously created temporary stages. The COPY INTO command can transfer information to/from internal stages, external stages tied to cloud services, and internal Snowflake tables. The threat actor compressed the results as a GZIP file using the COMPRESSION parameter to reduce the overall size of data before exfiltration. GET Finally, UNC5537 used the GET command to exfiltrate data from the temporary stages to locally specified directories. UNC5537 operates under various aliases on Telegram channels and cybercrime forums. Mandiant has identified members with associations to other tracked groups and assesses with moderate confidence that UNC5537 comprises members based in North America, collaborating with an additional member in Turkey. Attacker Infrastructure UNC5537 primarily used Mullvad or Private Internet Access (PIA) VPN IP addresses to access victim Snowflake instances. When exfiltrating data, Mandiant observed the use of VPS systems from ALEXHOST SRL (AS200019), a Moldovan provider. UNC5537 was also seen storing stolen victim data on several international VPS providers as well as the cloud storage provider MEGA.

Significant Attacks

• A threat actor, tracked as UNC5537, “has been observed using stolen customer credentials to target organizations utilizing Snowflake databases” to conduct data theft and extortion-related activity. (May 2024)

References:

• Threat actor compromising Snowflake database customers
• NC5537 Targets Snowflake Customer Instances for Data Theft and Extortion