EPAM denies link to Snowflake customer attacks

EPAM Systems Inc. denied a report that it was involved in last month's attacks against Snowflake databases that may have affected more than 165 customer organizations.

In May, cloud storage and analytics giant Snowflake confirmed reports from security vendor Mitiga that a threat actor, tracked as UNC5537, used stolen credentials to compromise customer databases. Snowflake stressed that the attacks were not a result of any vulnerability or misconfiguration inside the company, and that attacks targeted accounts that lacked MFA protection. Those details were supported by Mandiant's investigation into UNC5337, which determined the financially motivated threat actor used previously compromised customer credentials to conduct the attacks.

Several reports tied the Snowflake database attacks to recent breaches at companies such as Ticketmaster and Santander Bank. Mandiant traced initial activity to April and found infostealer malware infections on third-party contractor systems.

A Wired report published Monday stated a threat actor it was communicating with told the news outlet that they obtained access to some of the Snowflake customers, including Ticketmaster, by initially breaching one such contractor: EPAM, a Belarusian software company. According to Wired, a threat actor associated with the ShinyHunters cybercriminal group claimed they compromised an EPAM employee's system with infostealer malware and stole credentials for some Snowflake customer accounts.

However, in a blog post published on Monday, EPAM denied the allegations. EPAM said it has worked with Mandiant over the past several weeks to investigate the Snowflake attacks.

"To date, based on the results of our internal investigation and the findings from Mandiant, EPAM is not a party to the data breach. There is no evidence that the threat actor had any access to EPAM's assets, environments, production systems or source code," EPAM initially wrote in the blog post. "Unfortunately, unnamed hackers interviewed by a popular technology media outlet decided to target us for their misinformation campaign, resulting in a story published today and picked up on social media."

A Mandiant spokesperson told TechTarget Editorial that the company did not perform an independent investigation into EPAM's systems, and that EPAM updated the blog post to address any potential confusion. At press time, EPAM's blog post now says, "To date, based on the results of our internal investigation, and investigations conducted with our clients, EPAM is not a party to the data breach."

The blog post also addressed the part of Wired's report that claimed the threat actor used data found on an EPAM employee system to gain access to some of the Snowflake accounts. The software vendor said the former employee it referenced had not worked at EPAM since 2021.

EPAM emphasized that it follows strong MFA and zero-trust access policies that includes password cycling.

"We will continue to investigate this matter, take appropriate actions and work with our clients and partners as needed," the blog post said.

EPAM urged users to enable MFA, implement regular data backups and to report any suspicious activity.

EPAM did not respond to requests for comment at press time.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.