Lifting the curtain —
Start with a third-party contractor and go from there.
Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a Belarusian-founded contractor that works with those customers.
About 165 customer accounts were potentially affected in the recent hacking campaign targeting Snowflake’s customers, but only a few of these have been identified so far. In addition to Ticketmaster, the banking firm Santander has also acknowledged that their data was stolen but declined to identify the account from which it was stolen. Wired, however, has independently confirmed that it was a Snowflake account; the stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also said they might be victims as well.
Snowflake has not revealed details about how the hackers accessed the accounts, saying only that the intruders did not directly breach Snowflake’s network. This week, Google-owned security firm Mandiant, one of the companies engaged by Snowflake to investigate the breaches, revealed in a blog post that in some cases the hackers first obtained access through third-party contractors, without identifying the contractors or stating how this access aided the hackers in breaching the Snowflake accounts.
But according to one of the hackers who spoke with WIRED through a text chat, one of those firms was EPAM Systems, a publicly traded software engineering and digital services firm, founded by Belarus-born Arkadiy Dobkin, with current revenue of around $4.8 billion. The hacker says his group, which calls themselves ShinyHunters, used data found on an EPAM employee system to gain access to some of the Snowflake accounts.
EPAM told WIRED that it does not believe that it played a role in the breaches and suggested the hacker had fabricated the tale. ShinyHunters has been around since 2020 and has been responsible for numerous breaches since then that involve stealing large troves of data and leaking or selling it online.
Snowflake is a large data storage and analysis firm that provides tools for companies to derive intelligence and insight from customer data. EPAM develops software and provides various managed services for customers worldwide, primarily in North America, Europe, Asia, and Australia, according to its web site, with about 60 percent of its revenue coming from customers in North America. Among the services EPAM provides customers is assistance with using and managing their Snowflake accounts to store and analyze their data. EPAM claims it has some 300 workers who are experienced in using Snowflake’s data analytics tools and services, and announced in 2022 that it had attained “Elite Tier Partner” status with Snowflake to leverage the latter’s analytics platform for its customers.
EPAM’s founder emigrated from Belarus to the US in the ’90s before founding his company in 1993 from his New Jersey apartment. Nearly two-thirds of EPAM’s 55,000 employees resided in Ukraine, Belarus, and Russia until Russia invaded Ukraine, at which point the company says it closed its Russia operationsand moved some of its Ukrainian workers to locations outside of that country.
The hacker who spoke with WIRED says that a computer belonging to one of EPAM’s employees in Ukraine was infected with info-stealer malware through a spear-phishing attack. It’s unclear if someone from ShinyHunters conducted this initial breach or just purchased access to the infected system from someone else who hacked the worker and installed the infostealer. The hacker says that once on the EPAM worker’s system, they installed a remote-access Trojan, giving them complete access to everything on the worker’s computer.
Using this access, they say, they found unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts, including an account for Ticketmaster. The hacker says the credentials were stored on the worker’s machine in a project management tool called Jira. The hackers were able to use those credentials, they say, to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them. (MFA requires that users type in a one-time temporary code in addition to a username and password, making accounts that use MFA more secure.)
While EPAM denies it was involved in the breach, hackers did steal data from Snowflake accounts including Ticketmaster’s, and have extorted the owners of the data by demanding hundreds of thousands, and in some cases more than a million, dollars to destroy the data or risk having the hackers sell it elsewhere.