Snowflake Hacker Still Active, Finding New Victims, Expert Says

(Bloomberg) -- A hacker responsible for a cybercrime campaign that impacted up to 165 companies this summer is still at large and recently broke into a “handful” of new organizations, according to a cybersecurity specialist at Alphabet Inc.’s Google.

Most Read from Bloomberg

• AOC Proposes $30 Billion Social Housing Authority

• The Moonshot Plan to Eliminate Deaths on America’s Roads

• Belfast’s Grand Central Station Creates New Era for Northern Ireland’s Public Transport

• California’s Anti-Speeding Bill Can Be a Traffic Safety Breakthrough

• New York City’s Transit System Plans $65.4 Billion of Upgrades for Grand Central, Subways

The attacker, who previously stole data from customers of cloud analytics company Snowflake Inc., has since targeted American firms and compromised critical infrastructure organizations based in Russia and Bangladesh, according to Austin Larsen, senior threat analyst at Google who’s been investigating the campaign for months.

US victims are in the health care, technology and telecommunications industries, Larsen said.

That such a prolific hacker has evaded law enforcement despite bragging about the attacks to journalists and security researchers in recent months exemplifies the challenge that cross-border cybercrime poses to law enforcement, thanks to anonymizing communication services and a burgeoning criminal market for stolen credentials.

An analysis of the hacker’s online interactions indicated they were likely a male based in Canada in their 20s who displayed Nazi sympathies, Larsen said. He declined to identify the hacker by name or say if their identity had been passed on to law enforcement.

The hacker recently shared screenshots of records stolen from Russian and Bangladeshi critical infrastructure companies on Telegram, including sensitive customer data, Larsen said. Some intrusions are ongoing, he added.

The attacker gained access to victim organizations by logging onto internet-based login portals or services using stolen passwords purchased on the dark web. The hacker, who Larsen said may be working with others, has a “huge amount of stolen credentials” at least totaling in the hundreds of thousands from numerous organizations around the world. Once inside they could steal data and extort victims, Larsen warned.

“The actor continues to cause harm, compromise additional companies and extort, in some cases,” Larsen said.

In June and July, companies including AT&T Inc., Live Nation Entertainment Inc. and Advanced Auto Parts Inc. disclosed they’d been affected as part of a campaign in which a hacker stole personal data about millions of people. The cybercrime campaign occurred after a hacker broke into misconfigured Snowflake systems to access sensitive data.

The hacker is no longer targeting Snowflake-related data but exploiting tools from another software provider, which Larsen declined to name.

Larsen presented his findings on Friday at the LABScon cyber conference in Arizona.

In June, a person claiming to be the same hacker — and using a pseudonym verified by Larsen — told Bloomberg News over an online chat that they expected to be paid $20 million for the full suite of Snowflake customer data. There’s no evidence to suggest anyone purchased the set. At one point, the hacker made a mistake by posting a video that revealed some technical infrastructure, which Mandiant, a cyber unit of Google Cloud, used to help identify them, Larsen said.

Most Read from Bloomberg Businessweek

• The Man Who Made Nike Uncool

• Xbox’s President on Handheld Consoles and Subscription Gaming

• In Yosemite, Problems With Concessions Keep Piling Up

• The Fed Risks a Political Backlash by Spurring Economy Close to Election

• Why Get An MBA? Recent B-School Grads Weigh In

©2024 Bloomberg L.P.