A man suspected of masterminding a series of corporate cyberattacks is reportedly in custody in Canada. Bloomberg reported on Monday that the suspect, 26-year-old Alexander “Connor” Mouka, was arrested by authorities on a preliminary arrest warrant on October 30 at the request of the United States. The hack targeted enterprise customers of cloud data partner Snowflake, including AT&T and Live Nation.
The hack targeted over 100 organizations and led to the theft of millions of users’ personal data. In addition to AT&T and Ticketmaster, the list also included Lending Tree, Advance Auto Parts and Neiman Marcus. AT&T declined to comment for this story. We also contacted Live Nation, but received no response. (We will update this story if that happens.)
Krebs on Security reported Tuesday that Muka is named in multiple sealed indictments from U.S. prosecutors and federal law enforcement agencies. The suspects allegedly stole credentials from cybercrime forums (and similar locations), betting that customers reused the same credentials elsewhere. They then allegedly used these logins to access the accounts of Snowflake’s business customers and threatened to sell their data on criminal forums if they did not pay up. AT&T reportedly paid the hackers a $370,000 ransom to delete the records.
Krebs said the online handles used by Moucka are linked to “Western, English-speaking cybercriminals and extremist groups who harass and blackmail minors into self-harm and harm to others.” It says it matches the handle of a “prolific cybercriminal” located at the intersection. The report claims that Moucka was part of a hacker group called “UNC5537,” which also included “elusive” American John Erin Binns, who is currently in Turkey. Binns was behind the 2021 T-Mobile hack that affected at least 76.6 million customers.
Snowflake accused enterprise customers of failing to set up multi-factor authentication. “There’s a broader challenge in the security community and in enterprises that many people don’t have a solid understanding of the basics,” Brad Jones, chief information security officer at Snowflake, told Bloomberg. But Snowflake’s failure to require two-factor security is on par with a customer’s decision not to set it up, especially with millions of customers’ information at risk.
Why did AT&T and other companies entrust Snowflake with so much customer data? The wireless carriers haven’t said. Snowflake provides cloud-based data analysis services. AT&T announced in July that “nearly all” of its customers were affected by the hack, suggesting that nearly all of its subscribers’ data may have been analyzed by the wireless carrier’s cloud partners. A total of 110 million AT&T customers were affected.
Fortunately, AT&T said the breach did not involve the content of any calls or text messages. However, this included the phone numbers that each account interacted with, as well as a tally of each customer’s calls, texts, and minutes. It also included the mobile site identification number. Cybersecurity expert Javad Malik told Engadget this summer that the latter “could potentially allow triangulation of a user’s location.”
