(Bloomberg) -- Cybercriminals are demanding payments of between $300,000 and $5 million apiece from as many as 10 companies breached in a campaign that targeted Snowflake Inc. customers, according to a security firm helping with the investigation.

The hacking scheme has entered a “new stage” as the gang looks to profit from the most valuable information it has stolen, said Austin Larsen, a senior threat analyst at Google’s Mandiant security business, which helped lead Snowflake’s inquiry. That includes auctioning companies’ data on illegal online forums to try to pressure them into making payments, he said.

“We anticipate the actor to continue to attempt to extort victims,” Larsen said.

Snowflake, a cloud-based data analytics firm, said on June 2 that hackers had launched a “targeted” effort directed against Snowflake users that used single-factor authentication techniques. The company declined to comment on any specific customers.

The hacking group used stolen login details to access the Snowflake accounts of as many as 165 Snowflake customers and steal data, Larsen said. It has used the stolen information in attempts to extort money from five to 10 of Snowflake’s customers, he said. It wasn’t immediately clear which of Snowflake’s clients have been affected.

Mandiant has attributed the attack to a group it calls “UNC5537,” with members based in North America and Turkey. Larsen said members of the gang have made death threats against cybersecurity experts investigating it. In one case, UNC5537 used artificial intelligence to create fake nude photos of a researcher to harass them, Larsen said.

Mandiant said it was investigating the “possibility” that a UNC5337 hacker collaborated with a diffuse cybercriminal group known as “Scattered Spider” on at least one intrusion within the past six months, however the nature of such a relationship remains murky. Cybersecurity vendor CrowdStrike Holdings Inc. assigned the Scattered Spider name to the group, which functions as a loose community.

Illicit data brokers are now seeking prices above typical black-market rates for the data stolen from Snowflake customers, possibly in the hopes of pressuring the affected firms to pay a ransom, Larsen said. Snowflake has said it plans to close its internal investigation into the hacking campaign and that it hadn’t detected any unauthorized access into its customers’ servers in recent days.

Ticketmaster owner Live Nation Entertainment Inc. said it had discovered “unauthorized access” within a third-party cloud database, which a person familiar with the matter said was hosted on Snowflake.

Since then, Pure Storage Inc. has also disclosed that it experienced a breach of a Snowflake workspace. Advanced Auto Parts said it was investigating reports that the company may have experienced Snowflake-related issues.

Mandiant on Monday released guidance for companies on how to detect UNC5537 hackers, based on recent activity. Credentials from several customers previously were exposed via so-called information-stealing malware, the company said. 

(Updated to include additional context in sixth and eleventh paragraphs.)

©2024 Bloomberg L.P.