A researcher monitoring the situation reported that the hacker involved in the recent Snowflake customer data theft has extorted $2.7 million. The suspect, who has been linked to a series of attacks earlier this year, is still active as of this week.
According to Austin Larsen, a senior threat analyst with Mandiant the hacker — known primarily “Judische,” but who also used other names online, including “Waifu” — continues to target software-as-a-service providers and other entities “as recently as today,”
Larsen did not identify Judische by name, but recent reporting by cybersecurity journalist Brian Krebs indicated that the hacker is a 26-year-old software engineer living in Ontario, Canada. Larsen said during the presentation that Mandiant has “moderate confidence” that Judische is in Canada.
The hacker is said to have been instrumental in the April breach that impacted up to 165 Snowflake customers, utilising credentials obtained through infostealer malware.
However, the actual number of companies that were extorted is significantly lower—”dozens,” according to Larsen, who spoke to CyberScoop after his presentation. Notable victims include AT&T, Ticketmaster, and Santander.
Mandiant has uncovered a series of private communications revealing that Judische and his associates were actively coordinating the Snowflake attacks, including specifying the IP addresses where they were dumping logs, according to Larsen’s presentation.
Judische and his close associates have reportedly extorted up to $2.7 million, although Judische told 404 Media’s Joseph Cox that the actual figure is closer to $2 million.
He collaborated with another hacker, John Binns, in an attack on AT&T, which disclosed records containing “nearly all” of the company’s customer data for a six-month period in 2022.
Binns, who had previously been indicted for a 2021 attack on T-Mobile, was arrested by Turkish authorities after the AT&T incident and is currently in custody.
Larsen noted that Binns used the stolen AT&T data to search for the names, phone numbers, and emails of those investigating him, as well as rivals and prominent officials.
Researchers and law enforcement officials say the Com is an online ecosystem that includes groups engaging in cybercriminal activity, including violence, extortion, kidnappings, shootings, and robberies, Both Binns and Judische are members of this community.
The attacker, who previously stole data from customers of cloud analytics company Snowflake Inc., has since shifted focus to American firms and has compromised critical infrastructure organisations in Russia and Bangladesh.
In June and July, including AT&T Inc., Live Nation Entertainment Inc., and Advance Auto Parts Inc. reported being affected by a campaign in which a hacker stole personal data from millions of individuals.
The hacker is no longer targeting Snowflake-related data but exploiting tools from another software provider, which Larsen declined to name.
In June, an individual claiming to be the same hacker—using a pseudonym confirmed by Larsen—told Bloomberg News in an online chat that they anticipated receiving $20 million for the complete set of Snowflake customer data.
