Skip to content
Unveil the Future of TechStay Safe Online with Wise Learner Hub

Identity-based assaults sweep through vulnerable clients, dubbed as "snowflakes"

Major businesses may face breaches due to targeted assaults on Snowflake client ecosystems, according to cybersecurity experts and researchers.

 and  Administrator
3 min read
Customers facing identity-based assault wave, dubbed 'Snowflake' attack spree
Customers facing identity-based assault wave, dubbed 'Snowflake' attack spree

Identity-based assaults sweep through vulnerable clients, dubbed as "snowflakes"

Following a series of targeted attacks on Snowflake's enterprise customers, the data warehousing giant is urging users to bolster their account security. The threat activity, as reported by Snowflake, CrowdStrike, Mandiant, and incident response firm Mitiga, is aimed at users with single-factor authentication.

The attacks, which have been observed since mid-April, came to light for Snowflake on May 23. The company has since provided indicators of compromise and recommended actions for organizations to investigate potential threat activity within their Snowflake customer accounts.

According to Mandiant Consulting CTO, Charles Carmakal, the threat actor likely obtained access to multiple organizations' Snowflake tenants by using credentials stolen by infostealing malware. The stolen credentials were then used to compromise enterprises, steal data, deploy ransomware, and conduct multifaceted extortion.

To counteract these attacks, Snowflake and security experts recommend a layered security approach. Here are the key measures Snowflake customers should consider:

  1. Enable Multi-Factor Authentication (MFA): Snowflake is enforcing MFA for all password-based logins, and customers should ensure MFA is fully enabled to prevent credential theft and unauthorized access.
  2. Use Private Connectivity Options: To secure data access, customers should employ Snowflake's private connectivity features that protect sensitive data traffic from exposure over public networks.
  3. Implement Role-Based Access Control (RBAC): Properly manage permissions by assigning minimal necessary privileges through role-based controls to limit access and reduce risk.
  4. Employ Key Pair Authentication and OAuth: For programmatic access such as with dbt or other development tools, use Snowflake’s key pair authentication or OAuth methods instead of password authentication.
  5. Continuously Monitor and Audit Usage: Utilize Snowflake’s ACCOUNT_USAGE schema and Trust Center tools to audit account activity, track suspicious patterns, and enforce resource monitors to detect anomalies before damage occurs.
  6. Apply Best Practices for Data Encryption: Always encrypt data at rest and in transit using Snowflake’s recommended encryption standards to protect data confidentiality.
  7. Stay Updated on Authentication Enhancements and AI-Driven Threat Detection: Keep abreast of Snowflake's ongoing authentication improvements and leverage AI-based security tools provided to automatically detect and respond to threats.

These actions form a vital layered security approach to hardening Snowflake accounts against unauthorized access and data exfiltration following the recent attacks. Customers should prioritize enabling MFA, controlling access tightly, securing connectivity, encrypting data, and maintaining vigilant monitoring and auditing.

This guidance reflects the latest recommendations from Snowflake in mid-2025 as part of their ongoing security posture enhancements. Snowflake has also advised impacted organizations to reset and rotate Snowflake credentials.

In addition, Snowflake has informed the limited number of customers who may have been affected by the attacks. Researchers at threat detection and incident response firm Mitiga made these observations in a Friday blog post. The Cybersecurity and Infrastructure Security Agency has also referred an inquiry about the attacks to Snowflake, and the Australian Signals Directorate has issued a high-alert advisory about increased cyberthreat activity relating to Snowflake customer environments.

In light of these attacks, it's crucial for Snowflake customers to remain vigilant and proactive in securing their accounts. Snowflake's CISO, Brad Jones, has stated that there's no evidence suggesting the activity was caused by a vulnerability, misconfiguration, or breach of Snowflake's platform. However, the ongoing investigation into these attacks is ongoing, and it's essential for Snowflake customers to take these recommended actions to secure their accounts and data.

  1. Snowflake's CISO, Brad Jones, has emphasized the importance of cybersecurity in the wake of targeted attacks, stating that there's no evidence suggesting the activity was caused by a vulnerability, misconfiguration, or breach of Snowflake's platform.
  2. To counteract these attacks, Snowflake and security experts recommend implementing a layered security approach, such as enabling Multi-Factor Authentication (MFA), using Private Connectivity Options, and Role-Based Access Control (RBAC), among others.
  3. The threat actor, as per Mandiant Consulting CTO, Charles Carmakal, is believed to have obtained access to multiple organizations' Snowflake tenants by using credentials stolen by infostealing malware, which were then used to compromise enterprises, steal data, deploy ransomware, and conduct multifaceted extortion.
  4. In response to these attacks, Snowflake has provided indicators of compromise and recommended actions for organizations to investigate potential threat activity within their Snowflake customer accounts, including resetting and rotating Snowflake credentials.

Read also:

    Related

    Latest