Austin Larsen
Avalanche: Unmasking UNC5537’s Campaign Targeting Snowflake Customer Instances
In April 2024, the threat actor Mandiant tracks as UNC5537 launched a campaign, systematically compromising Snowflake customer instances across hundreds of organizations worldwide. The operation, which left organizations reeling from significant data loss and extortion attempts, underscored the severe consequences of credential theft and insufficient multi-factor authentication.
As the lead Mandiant analyst investigating this threat, I’ll provide a behind-the-scenes look at this campaign, sharing never-before-disclosed findings of this cybercrime operation. This presentation will detail UNC5537’s attack methodology, from their exploitation of stolen credentials to data exfiltration using custom tools like FROSTBITE. You’ll learn how they leveraged the infostealer marketplace and exploited common security oversights to breach organizations globally.
We also cover insights into the group’s structure, motivations, and tactics. You’ll hear about their various personas, attribution efforts, interactions with victims and researchers—including death threats—and collaborations with other threat actors. Through examining the campaign’s victimology, I’ll highlight the diverse range of targeted organizations, the scale of this operation, and its implications for the cybersecurity landscape.
Finally, I’ll explore the broader ramifications of this campaign. How does it reflect the evolving nature of financially motivated cybercrime? What does it reveal about the impact of stolen credentials and the infostealer marketplace? Why are we still discussing MFA in 2024? And what might UNC5537 do next?
Austin Larsen is currently a Senior Threat Analyst on a six month rotation with the Advanced Practices team, part of Mandiant Intelligence. Austin also leads Mandiant’s Victim Notification Program in the Western United States and serves as a liaison between Mandiant and federal partners.
As a consultant within Mandiant’s incident response practice, Austin provides emergency as well as proactive services to a broad range of organizations. Austin leads engagements involving Nation-State actors and advanced threat groups, and has helped hundreds of organizations navigate security incidents.
