Cybercrime , Fraud Management & Cybercrime , Social Engineering

Canadian Cops Bust Suspected Hacker Tied to Snowflake Hits

Hacking Suspect Tied to Theft of Data From AT&T, TicketMaster, Santander and Others
Canadian Cops Bust Suspected Hacker Tied to Snowflake Hits

Canadian authorities arrested a suspected extortionist tied to the hacking theft of terabytes of data from clients of cloud-based data warehousing platform Snowflake.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

The Canadian Department of Justice said that in response to a U.S. request, on Wednesday it arrested Alexander Moucka, aka Connor Moucka, on a provisional arrest warrant. He appeared in court the same day and is next due to appear on Tuesday.

The charges against Moucka have yet to be publicly detailed.

"As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case," Ian McLeod, a spokesperson for Canada's DOJ, told Information Security Media Group. The news of Moucka's arrest and its connection to the Snowflake hack attacks was first reported by Bloomberg.

Moucka's arrest follows the May arrest of U.S. citizen John Erin Binns in Turkey, based on a 2022 U.S. 12-count indictment charging him with hacking T-Mobile in 2021. Security researchers have also linked Binns to the Snowflake customer account breaches, accusing him of being the other major player involved. The U.S. has requested Binns' extradition.*

In June, Google Cloud's Mandiant incident response group said it was helping Bozeman, Montana-based Snowflake probe the data-stealing attacks and notify about 165 customers that their accounts appeared to have been breached by a group codenamed UNC5537, aka Scattered Spider. Data pertaining to millions of individuals appeared to have been stolen from accounts for which Snowflake customers hadn't enabled two-factor authentication.

Publicly named victims of the Snowflake hacks, which began in April and continued at least through May, include Live Nation Entertainment's Ticketmaster, Santander Bank, automotive parts supplier Advance Auto Parts, luxury retailer Neiman Marcus, the Los Angeles Unified School District and Bausch Health.

Moucka may stand accused of being the Snowflake hacker known as Judische, aka Waifu, reported 404 Media. The outlet said its communications with Judische - who claimed to have begun hacking as part of The Com cybercrime community and who earned $2 million via hack attacks - remained undelivered since Oct. 27. Judische told the publication in mid-October: "I've destroyed a lot of evidence and well poisoned the stuff I can't destroy so when/if it does happen it's just conspiracy which I can bond out and beat."

At least 10 victims received ransom demands ranging from $300,000 to $5 million in return for a promise to not leak stolen data, Mandiant said. At least one victim, AT&T, paid the attackers a ransom worth $370,000 in return for a promise to delete stolen data pertaining to 110 million AT&T cellphone plan customers, corroborated by a video showing the attacker doing so, reported Wired.

Despite such guarantees, cybercrime experts say there is scarce evidence that attackers honor such promises. Numerous law enforcement infiltrations, including of the LockBit ransomware group earlier this year, proved the opposite: criminal groups that promised to delete stolen data never did so, leaving open the possibility they might use it later to blackmail breached organizations or affected individuals.

From 'The Community'

Mandiant tracked the financially motivated group that targeted the Snowflake accounts as UNC5537, which has been tied to a number of rapidly executed, high-profile attacks that often involve socially engineering help desks.

Other security researchers have been tracking the attacks or apparent groups behind the Snowflake attacks under such codenames as 0ktapus, Muddled Libra, Scatter Swine, Scattered Spider and Starfraud. Researchers say the attackers appear to be affiliated with the cybercrime community known as The Com, which also birthed Lapsus$, and which appears to be comprised largely not of young Russians but Westerners (see: Spanish Police Bust Alleged Leader of Scattered Spider).

As Marc Rogers, chief technology officer for the AI observability startup nbhd.ai, said earlier this year: "These are domestic teenagers attacking major domestic corporations" (see: Rising Ransomware Issue: English-Speaking Western Affiliates).

Threat intelligence firm Intel 471 said the @judische Telegram username is connected to the Raid Forums cybercrime account "ellyel8" created in June 2020. That user "has been a key figure within Telegram channels and groups, including Star Sanctuary and Star Chat - also known as the Star Fraud Telegram group - which collectively are one of the biggest SIM-swapping communities operating on Telegram since August 2022," it said.

On May 2, 2024, the Telegram user @judische "made the first Snowflake victim-related comment, claiming to have hacked Santander bank" and stolen data for its subsidiaries in Chile, Spain and Uruguay, it said. Other personas subsequently began to also offer data stolen from Snowflake accounts for sale, including the Breach Forums user "Sp1d3r."

Infostealers Critical

How did the hackers break into the Snowflake accounts?

Mandiant said the attack chain began with unnamed information-stealing malware such as Redline, Meta, Vidar, Raccoon Stealer or Lumma that infected devices storing Snowflake access credentials as far back as 2020.

The malware appears to have infected systems with poor cyber hygiene. "In several Snowflake-related investigations, Mandiant observed that the initial compromise of infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software," it said.

Batches of information stolen by an infostealer from an endpoint, known as a log, get sold through a "cloud of logs" both on cybercrime markets as well as via automated Telegram bots.

For the Snowflake account breaches, attackers accessed credentials from infostealer logs, then used these stolen username and password pairs to log into instances for which customers hadn't enabled two-factor authentication, after which the attackers conducted reconnaissance of the Snowflake account, ultimately "executing similar SQL commands across numerous customer Snowflake instances to stage and exfiltrate data," Mandiant said.

Following the mid-year flurry of credential-stuffing attack takeovers of Snowflake accounts, the provider introduced mandatory multifactor authentication for all new accounts, starting in October, and began requiring longer passwords and prohibiting their repeated use (see: Breach-Weary Snowflake Moves to MFA, 14-Character Passwords).

Security experts recommend all organizations take steps to counter the ongoing threat posed by credential theft. "Mandiant continues to respond to a high proportion of intrusions where the initial access was obtained using stolen credentials, which can be obtained via multiple methods, most commonly the use of phishing emails, infostealer malware, or purchasing them from actors who used these methods," a spokesperson told ISMG. "The frequent use of infostealers by actors engaging in extortion operations coupled with the continued interest in infostealers across underground communities underscores that they pose a significant ongoing threat to organizations globally."*

*Updated Nov. 5, 2024 17:59 UTC: Added details of Binns' arrest and additional comment from Mandiant.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.