threatintel
actor tracker
ShinyHunters
Compromiseseverity: Critical2024-05-30

ShinyHunters / UNC5537 Snowflake-customer mass-extortion wave

published by Google Cloud / Mandiant
Actor
ShinyHunters?? · UnknowneCrime

Financially-motivated cybercrime collective active since April 2020, responsible for some of the largest data-theft and extortion incidents of the post-2020 era. Operationally blends credential-stuff…

Summary

Mandiant documented a sustained credential-stuffing campaign — tracked as UNC5537 with significant overlap to ShinyHunters — against Snowflake customer tenants lacking MFA. Credentials were harvested from prior infostealer infections on contractor and employee laptops, then replayed against ~165 Snowflake instances. The campaign produced the year's biggest data-breach headlines: Ticketmaster (560M records), Santander (30M customers across Spain / Chile / Uruguay), AT&T (call/SMS metadata for ~109M subscribers), Neiman Marcus, Advance Auto Parts, Pure Storage, and others. Alleged ringleader Connor Riley Moucka ('Judische') was arrested in Ontario on 30 October 2024.

Tags

credential-stuffingcloud-data-platformmass-extortioninfostealer-supply-chain

Primary source

cloud.google.com

Other ShinyHunters events