Hacker behind Snowflake customer data breaches remains active
SCOTTSDALE, Ariz. — The hacker behind the bulk of the Snowflake customer data theft earlier this year remains active as of this week, a researcher tracking the suspect said Friday.
The hacker — known primarily “Judische,” but who also used other names online, including “Waifu” — continues to target software-as-a-service providers and other entities “as recently as today,” Austin Larsen, a senior threat analyst with Mandiant, said during a presentation at SentinelOne’s LABScon security conference.
Larsen did not identify Judische by name, but recent reporting by cybersecurity journalist Brian Krebs indicated that the hacker is a 26-year-old software engineer living in Ontario, Canada. Larsen said during the presentation that Mandiant has “moderate confidence” that Judische is in Canada.
The hacker allegedly played a key role in the April compromise affecting up to 165 customers of Snowflake, a data storage and processing firm, using credentials harvested via infostealer malware. The number of companies actually extorted is far fewer — ”dozens,” Larsen told CyberScoop after his presentation — but known victims include AT&T, Ticketmaster, and Santander.
Mandiant “obtained a series of private communications in which we were able to identify [Judische and associates] essentially coordinating and planning a lot of the Snowflake activity, in some cases, even telling the IP address that they’re dumping logs to,” Larsen said during the presentation.
Judishe and close associates have successfully extorted as much as $2.7 million, Larsen said, but Judische told 404 Media’s Joseph Cox that the number was closer to $2 million.
Judishe collaborated with another hacker, John Binns, on the attack targeting AT&T, which the company said in July included records of “nearly all” of its customers’ data for a six-month period in 2022. Binns, previously indicted for an attack on T-Mobile in 2021, was arrested by Turkish authorities after the AT&T attack and remains in custody.
Binns used the AT&T data several other Snowflake customers’ data to “specifically look up the names, phone numbers and emails of those assigned to investigate him, rivals in the Com and other prominent officials,” Larsen said during his presentation.
The Com is an online ecosystem that includes groups engaging in cybercriminal activity, violence, extortion, kidnappings, shootings and robberies, according to both researchers who track the activity and law enforcement officials. Both Binns and Judische are part of that community.
The FBI declined to comment on Friday. The Royal Canadian Mounted Police said it “does not generally confirm or deny investigations unless criminal charges are laid.”
This story was updated Sept. 23, 2024, with a clarification on Binns’ use of data and a response from the RCMP.