Red Teaming

7 min read

Exploring the Snowflake Breach (Attack Anatomy)

We dissect the Snowflake Breach through the lens of the MITRE ATT&CK framework.

IamRoot Howard Poston, Oct 01,
2024

The 2024 AT&T breach was one of the most significant security incidents in recent history. Attackers accessed the call metadata of nearly all of the company’s customers from March 1 through October 31, 2022. 

Due to the potential national security implications of the breach, the American Securities and Exchange Commission (SEC) even provided a nearly three-month extension on its usual four-day notification rule (the breach was identified on April 19th but was publicly disclosed on July 12). 

AT&T was only one of an estimated 165 companies impacted by the same campaign. Other victims included TicketMaster, Santander Group, and Advance Auto Parts. Who was responsible? 

The ShinyHunters threat group. 

Snowflake breach MITRE ATT&CK techniques and defensive mitigation
ShinyHunters Technique MITRE ATT&CK Technique HTB Academy modules HTB Machines HTB Sherlocks 
Malware targeting trusted partner T1199 Trusted Relationship

Password Attacks

Hooked

Pulse

Saboteur

T1552 Unsecured Credentials
Identify previously breached credentials T1589.001 Gather Victim Identity Information

OSINT: Corporate Recon

MoodleRead

Credential stuffing T1110.004 Brute Force: Credential Stuffing

Login Brute Forcing

Resolute

Brutus

Data theft and exfiltration of Snowflake data T1530 Data from Cloud Storage

File Transfers

Codify 

T1567 Exfiltration Over Web Service

Modern Web Exploitation 

Art

T1560 Archive Collected Data

File Transfers

Leaf

Extorting ransom to delete stolen data T1657 Financial Theft

HTB CPTS

Control 

They gained access to the companies’ Snowflake accounts via credential stuffing and a supply chain breach of EPAM Systems.

Once inside, ShinyHunters accessed and exfiltrated sensitive data from these cloud storage locations. Then, they demanded ransoms ranging from $300,000 to $5 million in exchange for deleting the data.

We’re going to dive into the anatomy of the Snowflake attack in this post. Like our deep dive into the Cuttlefish malware, this attack anatomy article uses the MITRE ATT&CK framework to explore the various techniques used by the attackers in this incident. 

For each technique, we’ll also point to Hack the Box (HTB) resources that can provide hands-on training about how the technique works—and how to defend against it.

Inside the Snowflake breach 

AT&T and other companies were the victims of a supply chain attack that targeted their Snowflake cloud storage. 

Instead of exploiting vulnerabilities in Snowflake’s environment, ShinyHunters used compromised credentials to access and steal data.

Noteđź’ˇ: While we have a pretty good idea of the techniques and tools that the ShinyHunters group used during this attack, we are not certain and not everything has been confirmed by affected parties. So, this anatomy is alleging these techniques based on public reporting. 

Collecting Snowflake credentials

Snowflake environments breached by ShinyHunters are believed to be exploited via compromised credentials rather than security flaws within the Snowflake environment. The attackers may have collected credentials in a couple of different ways:

Supply chain compromise

EPAM Systems is a managed service provider (MSP) that offers a range of different services to its customers. This includes managing an organization’s Snowflake cloud storage deployments. 

ShinyHunters exploited this trust relationship (MITRE ATT&CK Technique T1199) to target the company’s customers.

ShinyHunters breached the computer of an EPAM employee and installed a remote access trojan (RAT). This tool—allegedly Lumma Stealer, which is also a keylogger—provided control over the system. 

With access to the employee’s system, the attackers identified customers’ Snowflake credentials stored unencrypted within Jira, a project management tool (MITRE ATT&CK T1552).

MITRE ATT&CK + NIST NICE-aligned content

Managers using the HTB Enterprise Platform can easily search courses using MITRE terminology and assign them based on the techniques and tactics relevant to their teams.