Exploring the Snowflake Breach (Attack Anatomy)

The 2024 AT&T breach was one of the most significant security incidents in recent history. Attackers accessed the call metadata of nearly all of the company’s customers from March 1 through October 31, 2022. 

Due to the potential national security implications of the breach, the American Securities and Exchange Commission (SEC) even provided a nearly three-month extension on its usual four-day notification rule (the breach was identified on April 19th but was publicly disclosed on July 12). 

AT&T was only one of an estimated 165 companies impacted by the same campaign. Other victims included TicketMaster, Santander Group, and Advance Auto Parts. Who was responsible? 

The ShinyHunters threat group. 

They gained access to the companies’ Snowflake accounts via credential stuffing and a supply chain breach of EPAM Systems.

Once inside, ShinyHunters accessed and exfiltrated sensitive data from these cloud storage locations. Then, they demanded ransoms ranging from $300,000 to $5 million in exchange for deleting the data.

We’re going to dive into the anatomy of the Snowflake attack in this post. Like our deep dive into the Cuttlefish malware, this attack anatomy article uses the MITRE ATT&CK framework to explore the various techniques used by the attackers in this incident. 

For each technique, we’ll also point to Hack the Box (HTB) resources that can provide hands-on training about how the technique works—and how to defend against it.

Inside the Snowflake breach 

AT&T and other companies were the victims of a supply chain attack that targeted their Snowflake cloud storage. 

Instead of exploiting vulnerabilities in Snowflake’s environment, ShinyHunters used compromised credentials to access and steal data.

Note💡: While we have a pretty good idea of the techniques and tools that the ShinyHunters group used during this attack, we are not certain and not everything has been confirmed by affected parties. So, this anatomy is alleging these techniques based on public reporting. 

Collecting Snowflake credentials

Snowflake environments breached by ShinyHunters are believed to be exploited via compromised credentials rather than security flaws within the Snowflake environment. The attackers may have collected credentials in a couple of different ways:

Supply chain compromise

EPAM Systems is a managed service provider (MSP) that offers a range of different services to its customers. This includes managing an organization’s Snowflake cloud storage deployments. 

ShinyHunters exploited this trust relationship (MITRE ATT&CK Technique T1199) to target the company’s customers.

ShinyHunters breached the computer of an EPAM employee and installed a remote access trojan (RAT). This tool—allegedly Lumma Stealer, which is also a keylogger—provided control over the system. 

With access to the employee’s system, the attackers identified customers’ Snowflake credentials stored unencrypted within Jira, a project management tool (MITRE ATT&CK T1552).

Exploiting past breaches

ShinyHunters also took advantage of past breaches and poor password hygiene to gain access to additional Snowflake accounts. The attackers trawled through leaked credentials compiled from past breaches using infostealer malware (MITRE ATT&CK T1589.001). 

This also included a previous incident where the infostealer malware was installed on the same EPAM employee’s computer. In some cases, credentials breached as far back as 2020 were still in use on Snowflake accounts.

In addition to identifying Snowflake credentials within these past breaches, the threat group also identified credentials used by Snowflake users for other, unrelated accounts. 

With these credentials, they performed a credential stuffing attack (MITRE ATT&CK T1110.004), exploiting password reuse to compromise additional Snowflake accounts.

Accessing Snowflake environments

Access to a Snowflake environment requires a few different pieces of information. 

In addition to the login credentials for the user’s account, the attackers also need to know the URL of an organization’s Snowflake instance.

For companies like Ticketmaster, whose Snowflake credentials were identified via the EPAM breach, an internal EPAM URL used to access the company’s Snowflake account was cached alongside the credentials. 

For other accounts breached via credential stuffing, the attackers could take advantage of the fact that Snowflake has a standard URL format (https://<orgname>-<account_name>.snowflakecomputing.com) to brute-force potential account names.

With the users’ login credentials, ShinyHunters was able to log into the companies’ Snowflake instances (MITRE ATT&CK T1530).

At the time of the breach, Snowflake didn’t have an option for organizations to require the use of multi-factor authentication (MFA). Without MFA in place, all the attackers needed was knowledge of the username and password. 

Additionally, these customer accounts lacked allowlists that would restrict the IP addresses from which the accounts could be accessed.

Data theft and ransom demands

After gaining access to customer Snowflake instances, ShinyHunters used both custom tools and DBeaver Ultimate (a database management tool) to perform reconnaissance on these environments (MITRE ATT&CK T1580). 

The attackers enumerated tables and exfiltrated those of particular interest and value using the GET command (MITRE ATT&CK T1567). 

They often created temporary stages within the Snowflake environment where they could compress data using GZIP before exfiltration (MITRE ATT&CK T1560.001).

ShinyHunters are primarily motivated by financial gain. After exfiltrating high-value data, the group demanded ransoms in exchange for deleting the stolen data (MITRE ATT&CK T1657). 

One high-profile victim was AT&T, who paid $370,000 of a $1 million ransom in exchange for a video of the attackers deleting call metadata for approximately 110 million AT&T customers.

Prepare for emerging threats with HTB

The MITRE ATT&CK framework offers a wealth of useful information about how a particular technique works and methods for detecting and mitigating it. HTB provides hands-on experience with these techniques. 

This enables security personnel to stay ahead of emerging threats and threat actor behavior, allowing teams to design more effective mitigations.

The following table maps the techniques used by ShinyHunters in the Snowflake breach to the corresponding MITRE ATT&CK Techniques. Additionally, it identifies HTB resources that contain content related to these techniques.

ShinyHunters Technique	MITRE ATT&CK Technique	HTB Academy modules	HTB Machines	HTB Sherlocks
Malware targeting trusted partner	T1199 Trusted Relationship	Password Attacks	Hooked	Pulse Saboteur
	T1552 Unsecured Credentials
Identify previously breached credentials	T1589.001 Gather Victim Identity Information	OSINT: Corporate Recon	MoodleRead	Constellation
Credential stuffing	T1110.004 Brute Force: Credential Stuffing	Login Brute Forcing	Resolute	Deadline Brutus
Data theft and exfiltration of Snowflake data	T1530 Data from Cloud Storage	File Transfers	Codify	Nubilum2 OpTinselTrace2
	T1567 Exfiltration Over Web Service	Modern Web Exploitation	Art	GetLab-D
	T1560 Archive Collected Data	File Transfers	Leaf	Hunter
Extorting ransom to delete stolen data	T1657 Financial Theft	HTB CPTS	Control	Safecracker LockPick 2.0

Aside from understanding emerging threats, security teams need to develop threat models, develop detection strategies for specific environments, and prioritize security investments. For this reason, HTB carefully maps courses and labs to the MITRE ATT&CK framework.

Book a demo

Explore a free trial