Hack The Box: Cybersecurity Training
Popular Topics
  • JOIN NOW
ALL Red Teaming Blue Teaming Cyber Teams Education CISO Diaries Customer Stories Write-Ups CVE Explained News Career Stories Humans of HTB Attack Anatomy Artificial Intelligence

Attack Anatomy

7 min read

Exploring the Snowflake Breach (Attack Anatomy)

We dissect the Snowflake Breach through the lens of the MITRE ATT&CK framework.

IamRoot avatar Howard Poston avatar
IamRoot &  Howard Poston, Jul 18,
2024
Blue teaming Cyber Teams
Hack The Box Article

The 2024 AT&T breach was one of the most significant security incidents in recent history. Attackers accessed the call metadata of nearly all of the company’s customers from March 1 through October 31, 2022. 

Due to the potential national security implications of the breach, the American Securities and Exchange Commission (SEC) even provided a nearly three-month extension

Loading Preview...

on its usual four-day notification rule (the breach was identified on April 19th but was publicly disclosed on July 12). 

AT&T was only one of an estimated 165 companies impacted by the same campaign. Other victims included TicketMaster, Santander Group, and Advance Auto Parts. Who was responsible? 

The ShinyHunters threat group. 

Snowflake breach MITRE ATT&CK techniques and defensive mitigation
ShinyHunters Technique MITRE ATT&CK Technique HTB Academy modules HTB Machines HTB Sherlocks 
Malware targeting trusted partner T1199 Trusted Relationship

Password Attacks

Loading Preview...

Hooked

Loading Preview...

Pulse

Loading Preview...

Saboteur

Loading Preview...

T1552 Unsecured Credentials
Identify previously breached credentials T1589.001 Gather Victim Identity Information

OSINT: Corporate Recon

Loading Preview...

MoodleRead

Loading Preview...

Constellation

Loading Preview...

Credential stuffing T1110.004 Brute Force: Credential Stuffing

Login Brute Forcing

Loading Preview...

Resolute

Loading Preview...

Deadline

Loading Preview...

Brutus

Loading Preview...

Data theft and exfiltration of Snowflake data T1530 Data from Cloud Storage

File Transfers

Loading Preview...

Codify 

Loading Preview...

Nubilum2

Loading Preview...

OpTinselTrace2

Loading Preview...

T1567 Exfiltration Over Web Service

Modern Web Exploitation 

Loading Preview...

Art

Loading Preview...

GetLab-D

Loading Preview...

T1560 Archive Collected Data

File Transfers

Loading Preview...

Leaf

Loading Preview...

Hunter

Loading Preview...

Extorting ransom to delete stolen data T1657 Financial Theft

HTB CPTS

Loading Preview...

Control 

Loading Preview...

Safecracker

Loading Preview...

LockPick 2.0

Loading Preview...

They gained access to the companies’ Snowflake accounts via credential stuffing and a supply chain breach of EPAM Systems.

Once inside, ShinyHunters accessed and exfiltrated sensitive data from these cloud storage locations. Then, they demanded ransoms ranging from $300,000 to $5 million

Loading Preview...

in exchange for deleting the data.

We’re going to dive into the anatomy of the Snowflake attack in this post. Like our deep dive into the Cuttlefish malware

Loading Preview...

, this attack anatomy article uses the MITRE ATT&CK framework to explore the various techniques used by the attackers in this incident. 

For each technique, we’ll also point to Hack the Box (HTB) resources that can provide hands-on training about how the technique works—and how to defend against it.

Inside the Snowflake breach 

AT&T and other companies were the victims of a supply chain attack that targeted their Snowflake cloud storage. 

Instead of exploiting vulnerabilities in Snowflake’s environment, ShinyHunters used compromised credentials to access and steal data.

Note💡: While we have a pretty good idea of the techniques and tools that the ShinyHunters group used during this attack, we are not certain and not everything has been confirmed by affected parties. So, this anatomy is alleging these techniques based on public reporting. 

Collecting Snowflake credentials

Snowflake environments breached by ShinyHunters are believed to be exploited via compromised credentials rather than security flaws within the Snowflake environment. The attackers may have collected credentials in a couple of different ways:

Supply chain compromise

EPAM Systems is a managed service provider (MSP) that offers a range of different services to its customers. This includes managing an organization’s Snowflake cloud storage deployments. 

ShinyHunters exploited this trust relationship (MITRE ATT&CK Technique T1199

Loading Preview...

) to target the company’s customers.

ShinyHunters breached the computer

Loading Preview...

of an EPAM employee and installed a remote access trojan (RAT). This tool—allegedly Lumma Stealer

Loading Preview...

, which is also a keylogger—provided control over the system. 

With access to the employee’s system, the attackers identified customers’ Snowflake credentials stored unencrypted within Jira, a project management tool (MITRE ATT&CK T1552

Loading Preview...

).

MITRE ATT&CK + NIST NICE-aligned content

Managers using the HTB Enterprise Platform can easily search courses using MITRE terminology

Loading Preview...

and assign them based on the techniques and tactics relevant to their teams.

The mapping of HTB Professional Labs to the MITRE ATT&CK matrix

Loading Preview...

aligned training sessions to real-world scenarios and correlated skills development to improved client engagements.

This search feature works with specific MITRE tactics or techniques (for example, T1594 or Active Scanning) or with text keywords found in the course material. 

The NIST | NICE framework is also integrated into the HTB Enterprise Platform, allowing teams to build essential Knowledge, Skills, Abilities, and Tasks (KSATs) for cybersecurity roles. 

We’ve categorized all Academy Modules according to these standards. So managers can now develop skill-focused training by adding tailored content to their Lab, using any keyword, NICE skill code, task, knowledge area, or work role.

Try HTB Enterprise For Free

Loading Preview...

 

Exploiting past breaches

ShinyHunters also took advantage of past breaches and poor password hygiene to gain access to additional Snowflake accounts. The attackers trawled through leaked credentials compiled from past breaches using infostealer malware (MITRE ATT&CK T1589.001

Loading Preview...

). 

This also included a previous incident where the infostealer malware was installed on the same EPAM employee’s computer. In some cases, credentials breached as far back as 2020

Loading Preview...

were still in use on Snowflake accounts.

In addition to identifying Snowflake credentials within these past breaches, the threat group also identified credentials used by Snowflake users for other, unrelated accounts. 

With these credentials, they performed a credential stuffing attack (MITRE ATT&CK T1110.004

Loading Preview...

), exploiting password reuse to compromise additional Snowflake accounts.

Accessing Snowflake environments

Access to a Snowflake environment requires a few different pieces of information. 

In addition to the login credentials for the user’s account, the attackers also need to know the URL of an organization’s Snowflake instance.

For companies like Ticketmaster, whose Snowflake credentials were identified via the EPAM breach, an internal EPAM URL used to access the company’s Snowflake account was cached alongside the credentials. 

For other accounts breached via credential stuffing, the attackers could take advantage of the fact that Snowflake has a standard URL format (https://<orgname>-<account_name>.snowflakecomputing.com) to brute-force potential account names.

With the users’ login credentials, ShinyHunters was able to log into the companies’ Snowflake instances (MITRE ATT&CK T1530

Loading Preview...

).

At the time of the breach, Snowflake didn’t have an option for organizations to require the use of multi-factor authentication (MFA). Without MFA in place, all the attackers needed was knowledge of the username and password. 

Additionally, these customer accounts lacked allowlists that would restrict the IP addresses from which the accounts could be accessed.

Data theft and ransom demands

After gaining access to customer Snowflake instances, ShinyHunters used both custom tools and DBeaver Ultimate (a database management tool) to perform reconnaissance on these environments (MITRE ATT&CK T1580

Loading Preview...

). 

The attackers enumerated tables and exfiltrated those of particular interest and value using the GET command (MITRE ATT&CK T1567

Loading Preview...

). 

They often created temporary stages within the Snowflake environment where they could compress data using GZIP before exfiltration (MITRE ATT&CK T1560.001

Loading Preview...

).

ShinyHunters are primarily motivated by financial gain. After exfiltrating high-value data, the group demanded ransoms in exchange for deleting the stolen data (MITRE ATT&CK T1657

Loading Preview...

). 

One high-profile victim was AT&T, who paid $370,000 of a $1 million ransom in exchange for a video of the attackers deleting call metadata for approximately 110 million AT&T customers

Loading Preview...

.

Prepare for emerging threats with HTB

The MITRE ATT&CK framework offers a wealth of useful information about how a particular technique works and methods for detecting and mitigating it. HTB provides hands-on experience with these techniques. 

This enables security personnel to stay ahead of emerging threats and threat actor behavior, allowing teams to design more effective mitigations.

The following table maps the techniques used by ShinyHunters in the Snowflake breach to the corresponding MITRE ATT&CK Techniques. Additionally, it identifies HTB resources that contain content related to these techniques.

ShinyHunters Technique MITRE ATT&CK Technique HTB Academy modules HTB Machines HTB Sherlocks 
Malware targeting trusted partner T1199 Trusted Relationship

Password Attacks

Loading Preview...

Hooked

Loading Preview...

Pulse

Loading Preview...

Saboteur

Loading Preview...

T1552 Unsecured Credentials
Identify previously breached credentials T1589.001 Gather Victim Identity Information

OSINT: Corporate Recon

Loading Preview...

MoodleRead

Loading Preview...

Constellation

Loading Preview...

Credential stuffing T1110.004 Brute Force: Credential Stuffing

Login Brute Forcing

Loading Preview...

Resolute

Loading Preview...

Deadline

Loading Preview...

Brutus

Loading Preview...

Data theft and exfiltration of Snowflake data T1530 Data from Cloud Storage

File Transfers

Loading Preview...

Codify 

Loading Preview...

Nubilum2

Loading Preview...

OpTinselTrace2

Loading Preview...

T1567 Exfiltration Over Web Service

Modern Web Exploitation 

Loading Preview...

Art

Loading Preview...

GetLab-D

Loading Preview...

T1560 Archive Collected Data

File Transfers

Loading Preview...

Leaf

Loading Preview...

Hunter

Loading Preview...

Extorting ransom to delete stolen data T1657 Financial Theft

HTB CPTS

Loading Preview...

Control 

Loading Preview...

Safecracker

Loading Preview...

LockPick 2.0

Loading Preview...

 

Aside from understanding emerging threats, security teams need to develop threat models, develop detection strategies for specific environments, and prioritize security investments. For this reason, HTB carefully maps courses and labs to the MITRE ATT&CK framework.

Book a demo

Explore a free trial

GET A DEMO FREE TRIAL

Contents

  • Inside the Snowflake breach 
    • Collecting Snowflake credentials
      • Supply chain compromise
      • Exploiting past breaches
    • Accessing Snowflake environments
    • Data theft and ransom demands
  • Prepare for emerging threats with HTB

Latest News

Hack the Box Blog

News

2 min read

Hack The Box invites all corporate teams to benchmark their skills through the Global Cyber Skills Benchmark 2025

Noni avatar Noni, May 12, 2025

Hack the Box Blog

Artificial Intelligence

6 min read

AI Red Teaming explained: Adversarial simulation, testing, and capabilities

b3rt0ll0 avatar b3rt0ll0, May 09, 2025

Hack the Box Blog

Red Teaming

7 min read

A new lab is ready for red teamers hungry for advanced recon

JXoaT avatar JXoaT, May 13, 2025

Hack The Blog

The latest news and updates, direct from Hack The Box

Read More
Hack The Box: Cybersecurity Training

The #1 platform to build attack-ready
teams and organizations.

Get a demo

Forrester wave leader Forrester wave leader
ISO 27001 ISO 27701 ISO 9001
G2 rating Capterra rating

Products
Teams
Courses & Certifications Cyber Ranges Enterprise Attack Simulations Cloud Infrastructure Simulations Capture The Flag Tabletop Exercises Talent Sourcing
Individuals
Courses & Certifications Hacking Labs Defensive Labs Red Team Labs Capture The Flag Job Board
Solutions
Job Roles
Red Teams Blue Teams Purple Teams
Industries
Government Higher Education Finance Professional Services
Use Cases
Technical Onboarding Team Benchmarking Candidate Assessment Threat Management Code Vulnerability Crisis Simulation Governance & Compliance
Resources
Community Blog Industry Reports Webinars AMAs Learn with HTB Customer Stories Cheat Sheets Compliance Sheets Glossary Guides & Templates Parrot OS Help Center
Programs
Channel & Resellers Ambassador Program Affiliate Program SME Program
Company
About us Careers Brand Guidelines Certificate Validation Trust Center Product Updates Status
Contact Us
Press Support Enterprise Sales
Partners
Become a Partner Register a Deal
Store
HTB Swag Buy Gift Cards
Products
Teams
Courses & Certifications Cyber Ranges Enterprise Attack Simulations Cloud Infrastructure Simulations Capture The Flag Tabletop Exercises Talent Sourcing

Individuals

Courses & Certifications Hacking Labs Defensive Labs Red Team Labs Capture The Flag Job Board
Solutions
Job Roles
Red Teams Blue Teams Purple Teams

Industries

Government Higher Education Finance Professional Services

Use Cases

Technical Onboarding Team Benchmarking Candidate Assessment Threat Management Code Vulnerability Crisis Simulation Governance & Compliance
Resources
Community Blog Industry Reports Webinars AMAs Learn with HTB Customer Stories Cheat Sheets Compliance Sheets Glossary Guides & Templates Parrot OS Help Center

Programs

Channel & Resellers Ambassador Program Affiliate Program SME Program
Company
About us Careers Brand Guidelines Certificate Validation Trust Center Product Updates Status

Contact Us

Press Support Enterprise Sales

Partners

Become a Partner Register a Deal

Store

HTB Swag Buy Gift Cards
Cookie Settings
Privacy Policy
User Agreement
© 2025 Hack The Box