🇺🇸

UNC5537

APT Group ETDA ✓

Also Known As

No alias recorded

Target Countries 1

Countries highlighted in red

United States

Sectors Targeted

Commercial Banking 52211 Arts, Entertainment, and Recreation 71 Promoters of Performing Arts, Sports, and Similar Events 7113 Finance and Insurance 52 Computer Systems Design and Related Services 54151 Health Care and Social Assistance 62 NAICS:44 44 Telecommunications 517

Details

Origin 🇺🇸 US

Last Updated 21 Jun 2024

Malware Families 1

metastealer

MITRE ATT&CK 21

T1003 - OS Credential Dumping T1020 - Automated Exfiltration T1041 - Exfiltration Over C2 Channel T1059 - Command and Scripting Interpreter T1071.001 T1090 - Proxy T1102 - Web Service T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1132 - Data Encoding T1190 - Exploit Public-Facing Application T1210 T1525 - Implant Internal Image T1528 - Steal Application Access Token T1530 - Data from Cloud Storage Object T1560 - Archive Collected Data T1566 T1585 - Establish Accounts T1589 - Gather Victim Identity Information T1610 - Deploy Container T1611 - Escape to Host

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 1 entries

UNC5537 Mandiant

Description

(Mandiant) Through the course of our incident response engagements and threat intelligence collections, Mandiant has identified a threat campaign targeting Snowflake customer database instances with the intent of data theft and extortion. Snowflake is a multi-cloud data warehousing platform used to store and analyze large amounts of structured and unstructured data. Mandiant tracks this cluster of activity as UNC5537, a financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments. UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims. Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.

Reports & References 3

https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion https://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack/ https://krebsonsecurity.com/2025/02/u-s-soldier-charged-in-att-hack-searched-can-hacking-be-treason/

ETDA Profile

UNC5537

Origin

Canada

First Seen 2024

Motivation

Financial gain

View on ETDA APT Groups ↗