A series of high-profile data breaches targeting major companies like Ticketmaster and Santander has been traced back to a single, overarching campaign: a targeted attack on customers of the cloud data platform, Snowflake. However, this wasn’t a vulnerability within Snowflake itself. Instead, it was a classic, yet devastatingly effective, attack on the weakest link in the security chain—stolen user credentials. The threat actor, tracked by Mandiant as UNC5537, orchestrated a massive campaign using credentials harvested by infostealer malware, highlighting a critical blind spot in many organizations’ cloud security posture.

The attacks, which have impacted hundreds of Snowflake customers, underscore a pivotal shift in threat actor tactics. Rather than spending resources trying to breach hardened cloud infrastructure, groups like UNC5537 are focusing on the end-users. They leverage widespread infostealer malware infections to siphon credentials directly from employee or contractor systems, often finding accounts that lack the fundamental protection of Multi-Factor Authentication (MFA).

Deconstructing the UNC5537 Credential Campaign

The success of the UNC5537 campaign hinges on a simple, multi-stage process. First, the attackers gain access to a vast pool of login credentials through various infostealer malware variants like Vidar, RisePro, and Lumma. These malicious programs are often distributed through phishing campaigns, cracked software, or malicious downloads. Once a system is infected, the malware scrapes saved browser credentials, cookies, and other sensitive information, which is then sold or used by criminal groups.

With this trove of stolen data, UNC5537 identifies credentials belonging to employees of organizations known to use Snowflake. The attackers then attempt to log into the company’s Snowflake instance using these stolen logins. The campaign’s high success rate is directly attributable to a lack of enforced Multi-Factor Authentication (MFA) on the targeted accounts. Without this second layer of defense, a valid username and password was all UNC5537 needed to gain full access to sensitive corporate data warehouses. Once inside, the group exfiltrated massive datasets and proceeded to extort their victims, as seen in the public breach notifications from Ticketmaster’s parent company, Live Nation.

The Ripple Effect: A Wake-Up Call for Cloud IAM

This incident is a stark reminder that cloud security is a shared responsibility. While Snowflake provides a secure platform, its customers are ultimately responsible for implementing and enforcing proper Identity and Access Management (IAM) controls. The fallout from this campaign serves as a critical case study in the dangers of inadequate credential hygiene. For any organization using Snowflake or other cloud service platforms, immediate action is required to mitigate this type of threat.

Key defensive measures include: enforcing MFA across all accounts without exception, regularly auditing user accounts for dormant or overly permissive access, implementing network IP allowlists to restrict access to trusted locations, and educating employees on the dangers of infostealer malware. The UNC5537 campaign proves that even the most secure cloud environments are only as strong as the credentials used to access them. Protecting those credentials is no longer just a best practice; it’s an absolute necessity for survival in the current threat landscape.