AT&T Cloud Hack Part Of Ongoing Campaign, Experts Say
Hack of nearly all AT&T customers is part of campaign carried out by criminal gang targeting Snowflake cloud platform, say researchers
The hack of nearly all of AT&T’s customers last week was part of a campaign targeting users of the corporate cloud platform Snowflake that security researchers said is “ongoing”.
Personal data on most of AT&T’s customers was downloaded in a massive hack as it became the latest firm to disclose the effects of security breaches of Snowflake cloud platform customers that first came to light in April.
AT&T said it became aware on 19 April that data had been transferred from its Snowflake workspace to that of a third party. It delayed disclosure until Friday at the request of the US Justice Department, the company said.
The breach was disclosed in a Securities and Exchange Commission (SEC) filing that was made public on Friday.
‘National security’
The Justice Department said earlier in the day that disclosure of the breach would “pose a substantial risk to national security and public safety”.
The FBI said it was working with AT&T and the Justice Department “through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work”.
The data includes records of calls made from 1 May 2022 to 31 October 2022 and was downloaded in April, AT&T said.
The compromised data includes records on nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network and AT&T landline customers who interacted with those cellular numbers.
“At this time, we do not believe that the data is publicly available,” AT&T said.
Ongoing cloud hacks
Computer security firm Mandiant said in June that it and Snowflake had notified about 165 corporate customers about breaches, the first time an indication had been given about the number of hacks on the platform that began in April.
Snowflake has more than 9,800 corporate customers, including healthcare organisations, retail giants and tech firms, which use Snowflake for data analytics.
Ticketmaster and LendingTree earlier confirmed data thefts involving Snowflake workspaces.
Mandiant said at the time that the “ongoing” threat campaign was being carried out by a criminal gang it called UNC5537 that has members in North America and at least one in Turkey.
It said the group was trying to extort companies into paying to get their files back and to stop them from being disclosed publicly.
Mandiant said it had found “hundreds of customer Snowflake credentials exposed via infostealers”.
The credentials are believed to have been stolen from corporate staff members who have access to a company’s Snowflake environment.