Snowflake Hacking Suspect Arrested in Canada

Written by

Canadian authorities have confirmed the arrest of a man suspected to have perpetrated a series of Snowflake account breaches, which impacted scores of companies and countless downstream customers.

A statement from the Canadian Department of Justice noted that the arrest of Alexander Moucka (aka Connor Moucka) on October 30 was made at the request of the US.

“He appeared in court later that afternoon, and his case was adjourned to Tuesday, November 5, 2024. As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case,” the statement concluded.

The breach of Snowflake customers came to light in June, when a financially motivated threat actor dubbed UNC5537 began to sell data stolen from the accounts on the dark web. Ticketmaster and AT&T were among the companies affected.

Read more on Snowflake-related breaches: Snowflake Breach at Advance Auto Parts Hits 2.3 Million People

Mandiant, the Google-owned company investigating the breaches, claimed that as many as 165 companies may have been impacted. It said that account credentials were originally stolen via infostealer malware, in some cases dating back to 2020. None of the accounts are thought to have been protected with multi-factor authentication (MFA).

Mandiant senior threat analyst, Austin Larsen, dubbed UNC5537, now alleged to be Moucka, “one of the most consequential threat actors” of the year.

“In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations. The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm a single individual can cause using off-the-shelf tools,” he continued.

“This arrest serves as a deterrent to cybercriminals and reinforces that their actions have serious consequences.”

Mandiant warned that stolen credentials continue to be a popular way for threat actors to achieve initial access. They are usually obtained by phishing, purchasing on underground sites or via infostealer malware.

“The frequent use of infostealers by actors engaging in extortion operations coupled with the continued interest in infostealers across underground communities underscore that they pose a significant ongoing threat to organizations globally,” a statement from the vendor added.

What’s hot on Infosecurity Magazine?