A cybercriminal responsible for a high-profile hacking campaign that affected up to 165 companies over the summer remains at large and has continued to target new organizations, according to cybersecurity experts at Google. The perpetrator, who previously targeted customers of Snowflake Inc., a cloud analytics company, has expanded their scope to American firms and critical infrastructure entities in Russia and Bangladesh.
Austin Larsen, a senior threat analyst at Google, has been closely monitoring the hacker’s activities for months. He revealed that the victims in the United States belong to various industries such as healthcare, technology, and telecommunications. Despite boasting about their attacks to the media and cybersecurity researchers, the hacker has managed to stay ahead of law enforcement, highlighting the challenges faced in combating cross-border cybercrime.
Based on an analysis of the hacker’s online behavior, Larsen suggested that the individual is likely a male in his 20s residing in Canada, with apparent Nazi sympathies. However, the hacker’s identity remains undisclosed, and it is unclear whether law enforcement authorities have been informed about their activities. Recently, the hacker shared stolen data from Russian and Bangladeshi critical infrastructure companies on Telegram, showcasing the extent of their intrusion.
The hacker gained access to victim organizations by utilizing stolen passwords purchased from the dark web to log into internet-based login portals or services. Larsen warned that the hacker, possibly working with accomplices, possesses a significant number of stolen credentials from multiple organizations globally, totaling in the hundreds of thousands. Once inside the systems, the hacker could steal data and demand ransom from the victims.
Larsen emphasized that the hacker continues to pose a threat by compromising additional companies and extorting them for financial gain. In previous incidents involving companies like AT&T Inc., Live Nation Entertainment Inc., and Advanced Auto Parts Inc., millions of people had their personal data compromised as a result of the hacker’s activities. These breaches occurred after the hacker exploited vulnerabilities in Snowflake’s systems to access sensitive information.
Although the hacker is no longer focusing on stealing Snowflake-related data, they have shifted their attention to exploiting tools from another software provider, as per Larsen’s disclosures at the LABScon cyber conference in Arizona. In an interesting turn of events, the hacker, using a verified pseudonym provided by Larsen, demanded $20 million for the complete set of Snowflake customer data in online chats, but there is no evidence to suggest that anyone paid the ransom. The hacker’s slip-up in revealing technical infrastructure details through a video allowed Google Cloud’s cyber unit, Mandiant, to assist in identifying them.
The cat-and-mouse game between law enforcement and cybercriminals highlights the ongoing battle against cyber threats in an increasingly interconnected world. With anonymity provided by communication services and a thriving black market for stolen data, tackling cybercrime remains a complex and evolving challenge for authorities worldwide.