Advertisement

Canadian police arrest alleged hacker behind cyberattacks that compromised ‘nearly all’ AT&T accounts

Bloomberg says Canadian Alexander Moucka used leaked credentials in online forums to access Snowflake clients’ accounts.

AT&T

A man allegedly behind a series of corporate cyberattacks is reportedly in custody in Canada. Bloomberg reported on Monday that the suspect, 26-year-old Alexander “Connor” Moucka, was apprehended by authorities on a provisional arrest warrant on October 30, following a request from the US. The hacks targeted corporate customers of Snowflake, a cloud data partner of AT&T, Live Nation and others.

The hacks targeted over 100 organizations, leading to millions of users’ personal data theft. In addition to AT&T and Ticketmaster, that list included Lending Tree, Advance Auto Parts and Neiman Marcus. AT&T declined to comment for this story. We also contacted Live Nation but haven’t heard back. (We’ll update this story if we do.)

Krebs on Security reported on Tuesday that Moucka is named in multiple sealed indictments from US prosecutors and federal law enforcement agencies. The suspect allegedly nabbed stolen credentials from cybercriminal forums (and similar places), betting that customers had reused the same credentials elsewhere. He is said to have then used those logins to access the accounts of Snowflake’s corporate clients and extort them, threatening to sell the data on criminal forums if they didn’t pay. AT&T reportedly paid the hacker a $370,000 ransom to delete the records.

Krebs says the online handles Moucka used corresponded to those of a “prolific cybercriminal” sitting at the intersection of “Western, English-speaking cybercriminals and extremist groups that harass and extort minors into harming themselves or others.” The report claims Moucka was part of a hacking group called “UNC5537” that also included an “elusive” American, John Erin Binns, currently in Turkey. Binns was behind a 2021 T-Mobile hack that affected at least 76.6 million customers.

Snowflake pointed fingers at its corporate clients for failing to set up multi-factor authentication. “We have a broader challenge in the security community and enterprises that a lot of people aren’t nailing the basics,” Snowflake’s Chief Information Security Officer Brad Jones told Bloomberg. But Snowflake’s apparent failure to require two-factor security sits on equal ground with its customers’ decisions not to set it up — especially with millions of customers’ information on the line.

Why did AT&T and other companies entrust Snowflake with so much customer data? The wireless carrier hasn’t said. Snowflake offers cloud-based data analysis services. In July, AT&T said that “nearly all” of its customers were affected by the hack, suggesting that almost all of its subscribers were potentially having their data analyzed by a cloud partner of its wireless carrier. A total of 110 million AT&T customers were said to be affected.

Fortunately, AT&T said the breach didn’t contain the contents of calls or texts. However, it included the phone numbers each account interacted with and a tally of each customer’s calls, texts, and call durations. It also contained cell site identification numbers. Cybersecurity expert Javvad Malik told Engadget this summer that the latter could “potentially allow for the triangulation of users’ locations.”