[{"data":1,"prerenderedAt":170},["ShallowReactive",2],{"article-slug-anodot-supply-chain-breach-hits-snowflake-customers":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":43,"sources":44,"events":67,"mitre_techniques":74,"mitre_mitigations":94,"d3fend_countermeasures":121,"iocs":134,"cyber_observables":135,"tags":150,"extract_datetime":158,"article_type":159,"impact_scope":160,"pub_date":59,"reading_time_minutes":169,"createdAt":158,"updatedAt":158},"e59f1c93-f8c7-489e-b1f8-f7a93e863c59","anodot-supply-chain-breach-hits-snowflake-customers","Anodot Breach Leads to Supply Chain Attack on Snowflake Customers; ShinyHunters Claims Responsibility","SaaS Vendor Anodot Breached; ShinyHunters Gang Uses Stolen Tokens to Attack Snowflake Customers","A security breach at Israeli AI analytics firm Anodot has resulted in a significant downstream supply chain attack targeting customers of the cloud data platform Snowflake. The 'ShinyHunters' extortion gang claimed responsibility on April 7, 2026, stating they leveraged stolen authentication tokens from Anodot's systems to gain unauthorized access to their customers' Snowflake instances. This allowed the attackers to bypass traditional defenses and steal data from multiple companies. High-profile victims, including Rockstar Games, have been named on the gang's leak site, with ransom demands issued to prevent the data from being published.","## Executive Summary\nA major supply chain attack is underway, originating from a security breach at **[Anodot](https://www.anodot.com/)**, an AI-powered cloud cost monitoring and analytics company. The notorious extortion group **[ShinyHunters](https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters)** has claimed responsibility, stating they compromised Anodot's systems and stole authentication tokens. These tokens, which grant programmatic access to third-party services, were then used to infiltrate the **[Snowflake](https://www.snowflake.com/)** cloud data warehouse environments of Anodot's customers. This allowed the attackers to bypass conventional security measures like MFA and steal sensitive data from numerous organizations. **ShinyHunters** has begun extorting victims, including gaming giant **[Rockstar Games](https://www.rockstargames.com/)**, threatening to leak stolen data if ransoms are not paid. The incident highlights the critical and often overlooked risk posed by third-party SaaS integrations and the value of API keys and service tokens as a target for threat actors.\n\n## Threat Overview\nThis is a sophisticated supply chain attack that abuses the trust relationship between a SaaS vendor (Anodot) and its customers' cloud platforms (Snowflake). The attack chain is as follows:\n\n1.  **Vendor Compromise**: **ShinyHunters** first breached the network or systems of **Anodot**.\n2.  **Credential Theft**: The primary goal within Anodot was to steal sensitive credentials. In this case, they specifically targeted authentication tokens that Anodot's service uses to connect to its customers' **Snowflake** instances for data analysis.\n3.  **Downstream Attack**: Using these stolen tokens, **ShinyHunters** could then directly access the **Snowflake** accounts of Anodot's customers. From Snowflake's perspective, this access appeared legitimate, as it came from a trusted, authenticated third-party service.\n4.  **Data Exfiltration and Extortion**: Once inside the Snowflake environments, the attackers exfiltrated valuable data. They then posted their claims and ransom demands on their dark web leak site, beginning the extortion phase of the attack.\n\nThis method is particularly insidious because it bypasses the victims' own perimeter defenses and authentication controls. The compromise of a single vendor can provide the keys to dozens of downstream customer environments.\n\n## Technical Analysis\nThe core of this attack is the abuse of stolen API tokens/service credentials, a technique classified under [`T1528 - Steal Application Access Token`](https://attack.mitre.org/techniques/T1528/). These tokens are designed for machine-to-machine communication and often have broad permissions, making them a highly valuable target.\n\n*   **Snowflake's Statement**: **Snowflake** confirmed that its own core platform was not breached. The activity was isolated to customer accounts that were accessed using credentials originating from a compromised third-party tool, which they did not name but is confirmed by others to be **Anodot**.\n*   **Pivot to Other Platforms**: Reports indicate the attackers also attempted to use the access to pivot to other platforms like **Salesforce**, suggesting a broad campaign to leverage the initial breach as widely as possible.\n*   **ShinyHunters TTPs**: **ShinyHunters** is a well-known data extortion group that specializes in large-scale data theft and does not typically deploy ransomware. Their primary goal is to steal data and monetize it through ransom payments.\n\n### MITRE ATT&CK Mapping\n*   **[`T1195.001 - Compromise Software Supply Chain: Compromise Third-party Software/Service`](https://attack.mitre.org/techniques/T1195/001/)**: The entire incident is a textbook example of compromising a service to attack its customers.\n*   **[`T1528 - Steal Application Access Token`](https://attack.mitre.org/techniques/T1528/)**: The key enabler of the attack was the theft of authentication tokens from Anodot.\n*   **[`T1580 - Cloud Infrastructure Discovery`](https://attack.mitre.org/techniques/T1580/)**: Once in the Snowflake environment, attackers would have performed discovery to identify valuable data.\n*   **[`T1213.002 - Data from Information Repositories: Data from Cloud Storage Object`](https://attack.mitre.org/techniques/T1213/002/)**: The exfiltration of data from Snowflake.\n*   **[`T1657 - Financial Theft`](https://attack.mitre.org/techniques/T1657/)**: The ultimate goal of the extortion campaign.\n\n## Impact Assessment\nThe impact is significant and widespread, affecting multiple companies across different industries.\n*   **Named Victims**: **Rockstar Games**, developer of Grand Theft Auto, has been publicly named and extorted. Other alleged victims include **Payoneer**, **Amtrak**, **McGraw Hill**, and **Hallmark Cards**.\n*   **Data Breaches**: Each affected company is now facing a significant data breach, with the potential for sensitive corporate data, customer information, and intellectual property to be leaked.\n*   **Financial Loss**: Victims face the cost of incident response, legal fees, regulatory fines, and potentially paying a ransom.\n*   **Supply Chain Distrust**: The incident severely damages trust in SaaS integrations and will force many companies to re-evaluate their third-party risk management programs.\n\n## Cyber Observables for Detection\n| Type | Value | Description | Context | Confidence |\n|---|---|---|---|---|\n| log_source | `Snowflake Access History` | Look for queries or data access from the Anodot service account that are outside the established baseline, such as accessing unusual tables or exfiltrating large volumes of data. | Snowflake query logs and access history views. | high |\n| user_account_pattern | `ANODOT_SERVICE_USER` | Monitor for anomalous behavior from service accounts, such as logins from new IP ranges or attempts to access resources beyond their normal scope. | Cloud provider audit logs (e.g., CloudTrail). | high |\n| api_endpoint | `Snowflake API` | Unusually high volume of `GET` requests or data transfer from a specific service account token. | API gateway logs, Cloud provider flow logs. | medium |\n\n## Detection & Response\nDetecting this type of attack is challenging because the activity appears legitimate.\n1.  **Monitor Service Account Behavior**: Implement **[D3-UBA: User Behavior Analysis](https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis)** focused on non-human service accounts. Baseline the normal activity of third-party integrations (e.g., what data they access, how much, from where) and alert on any significant deviations.\n2.  **Cloud Security Posture Management (CSPM)**: Use CSPM tools to audit permissions granted to third-party services. Ensure they adhere to the principle of least privilege.\n3.  **Token Rotation**: Immediately revoke and rotate the credentials for the Anodot integration. This is the primary containment step.\n\n## Mitigation\nPreventing such attacks requires a robust third-party risk management strategy.\n1.  **Principle of Least Privilege**: When integrating a third-party SaaS tool, grant it the absolute minimum permissions required to function. It should only be able to read the specific data it needs, not the entire data warehouse.\n2.  **IP Allowlisting**: Where possible, configure service account access to be restricted to a known set of IP addresses belonging to the vendor. This would have prevented **ShinyHunters** from using the stolen tokens from their own infrastructure.\n3.  **Regular Credential Rotation**: Implement a policy for the regular, automated rotation of all API keys and service tokens. This limits the window of opportunity for an attacker if a token is stolen.\n4.  **Vendor Security Assessments**: Do not blindly trust vendors. Conduct thorough security assessments before integrating any third-party service that will have access to sensitive data. This is a key part of **[M1016 - Vulnerability Scanning](https://attack.mitre.org/mitigations/M1016/)** applied to the supply chain.","ShinyHunters gang exploits a breach at AI firm Anodot to attack Snowflake customers. The supply chain attack used stolen auth tokens to access cloud data, with Rockstar Games among the named victims. ☁️ #DataBreach #SupplyChain #Snowflake","A breach at Anodot allowed the ShinyHunters gang to steal authentication tokens and launch a supply chain attack against Snowflake customers, including Rockstar Games, resulting in data theft and extortion.",[13,14,15],"Supply Chain Attack","Data Breach","Cloud Security","high",[18,22,26,30,33,35,37,39,41],{"name":19,"type":20,"url":21},"ShinyHunters","threat_actor","https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters",{"name":23,"type":24,"url":25},"Anodot","company","https://www.anodot.com/",{"name":27,"type":28,"url":29},"Snowflake","product","https://www.snowflake.com/",{"name":31,"type":24,"url":32},"Rockstar Games","https://www.rockstargames.com/",{"name":34,"type":24},"Payoneer",{"name":36,"type":24},"Amtrak",{"name":38,"type":24},"McGraw Hill",{"name":40,"type":24},"Hallmark Cards",{"name":42,"type":28},"Salesforce",[],[45,51,56,62],{"url":46,"title":47,"date":48,"friendly_name":49,"website":50},"https://rhisac.org/cyber-security-articles/active-data-theft-campaign-targeting-snowflake-customers-via-anodot-third-party-saas-integration-breach/","Active Data Theft Campaign Targeting Snowflake Customers via Anodot Third-Party SaaS Integration Breach","2026-04-09","RH-ISAC","rhisac.org",{"url":52,"title":53,"date":48,"friendly_name":54,"website":55},"https://www.hackread.com/shinyhunters-claims-rockstar-games-snowflake-breach-anodot/","ShinyHunters Claims Rockstar Games Snowflake Breach via Anodot","Hackread","hackread.com",{"url":57,"title":58,"date":59,"friendly_name":60,"website":61},"https://www.computing.co.uk/news/4214539/shinyhunters-claims-rockstar-games-data-breach","ShinyHunters claims Rockstar Games data breach","2026-04-10","Computing UK","computing.co.uk",{"url":63,"title":64,"date":59,"friendly_name":65,"website":66},"https://www.helpnetsecurity.com/2026/04/13/rockstar-games-data-breach/","Rockstar Games receives “pay or leak” warning after cyberattack","Help Net Security","helpnetsecurity.com",[68,71],{"datetime":69,"summary":70},"2026-04-07","ShinyHunters begins claiming responsibility for attacks on Snowflake customers, attributing them to a breach at Anodot.",{"datetime":72,"summary":73},"2026-04-11","ShinyHunters posts a ransom demand for Rockstar Games, giving them a deadline of April 14.",[75,79,83,87,91],{"id":76,"name":77,"tactic":78},"T1195.001","Compromise Software Supply Chain: Compromise Third-party Software/Service","Initial Access",{"id":80,"name":81,"tactic":82},"T1528","Steal Application Access Token","Credential Access",{"id":84,"name":85,"tactic":86},"T1078.004","Valid Accounts: Cloud Accounts","Defense Evasion, Persistence, Privilege Escalation, Initial Access",{"id":88,"name":89,"tactic":90},"T1213.002","Data from Information Repositories: Data from Cloud Storage Object","Collection",{"id":92,"name":93,"tactic":90},"T1530","Data from Cloud Storage Object",[95,104,113,117],{"id":96,"name":97,"d3fend_techniques":98,"description":103},"M1026","Privileged Account Management",[99],{"id":100,"name":101,"url":102},"D3-SPP","Strong Password Policy","https://d3fend.mitre.org/technique/d3f:StrongPasswordPolicy","Apply the principle of least privilege to all service accounts and API tokens, granting them only the specific permissions needed to function.",{"id":105,"name":106,"d3fend_techniques":107,"description":112},"M1047","Audit",[108],{"id":109,"name":110,"url":111},"D3-DAM","Domain Account Monitoring","https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring","Continuously audit and monitor the activity of third-party service accounts for anomalous behavior, such as accessing unusual data or large-scale exfiltration.",{"id":114,"name":115,"description":116},"M1035","Limit Access to Resource Over Network","Use IP address allowlisting to restrict service account access to only the known IP ranges of the trusted vendor.",{"id":118,"name":119,"description":120},"M1016","Vulnerability Scanning","Extend risk management to the supply chain by conducting thorough security assessments of third-party vendors before integration.",[122,128],{"technique_id":123,"technique_name":124,"url":125,"recommendation":126,"mitre_mitigation_id":127},"D3-RAPA","Resource Access Pattern Analysis","https://d3fend.mitre.org/technique/d3f:ResourceAccessPatternAnalysis","To defend against attacks like the Anodot/Snowflake breach, organizations must implement Resource Access Pattern Analysis for all third-party service accounts. Instead of implicitly trusting the connection, security teams should use a Cloud-Native Application Protection Platform (CNAPP) or SIEM to baseline the service's normal behavior. For Anodot, this would mean establishing a profile of which specific Snowflake tables it queries, the frequency of those queries, and the typical volume of data returned. The system should then alert on any deviation from this pattern. For example, an alert should trigger if the Anodot service account suddenly queries a table named 'customer_pii' or 'source_code_gta7' that it has never touched before, or if it attempts to download 100x its normal data volume. This behavioral detection approach is critical for identifying when a legitimate, stolen token is being abused by an attacker.","M1040",{"technique_id":129,"technique_name":130,"url":131,"recommendation":132,"mitre_mitigation_id":133},"D3-ACH","Application Configuration Hardening","https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening","Organizations must apply rigorous Application Configuration Hardening to all third-party integrations. In the context of Snowflake, this means creating a dedicated role for the Anodot service with narrowly scoped, read-only access to only the specific schemas and tables required for cost analysis. The account should be explicitly denied access to all other data. Furthermore, network policies should be applied within Snowflake to restrict the service account's access to a specific, allow-listed set of source IP addresses provided by Anodot. This combination of least-privilege access and network controls would have mitigated this attack in two ways: first, the attackers would have been unable to access sensitive data outside the intended scope, and second, they would have been blocked from using the stolen token from their own infrastructure. This turns a trusted integration from a skeleton key into a key that only opens one specific door.","M1054",[],[136,141,144],{"type":137,"value":138,"description":139,"context":140,"confidence":16},"log_source","Snowflake's 'QUERY_HISTORY' view","Hunt for queries executed by the compromised service account (e.g., from Anodot) that access an unusually broad set of tables or attempt to query metadata tables like 'TABLES' or 'SCHEMATA'.","Snowflake administrative interface or SIEM with Snowflake logs.",{"type":137,"value":142,"description":143,"context":140,"confidence":16},"Snowflake's 'LOGIN_HISTORY' view","Look for logins from the compromised service account originating from IP addresses not associated with the vendor's known infrastructure (e.g., residential ISPs, TOR exit nodes, other cloud providers).",{"type":145,"value":146,"description":147,"context":148,"confidence":149},"user_account_pattern","Service accounts","Anomalous behavior from any third-party service account, such as a sudden spike in data egress, accessing data at unusual times, or attempting to escalate privileges.","Cloud provider audit logs (CloudTrail, Azure Activity Log), SIEM user behavior analytics.","medium",[151,152,153,154,155,156,157],"supply chain attack","shinyhunters","anodot","snowflake","data breach","cloud security","rockstar games","2026-04-10T15:00:00.000Z","NewsArticle",{"geographic_scope":161,"companies_affected":162,"industries_affected":163},"global",[31,34,36,38,40],[164,165,166,167,168],"Technology","Media and Entertainment","Finance","Transportation","Retail",5,1776260614275]