Kitchener, Ontario, man arrested in massive Snowflake hacking plot faces possible extradition to US

A Kitchener, Ontario man accused of participating in a massive hacking scheme affecting cloud storage provider Snowflake has been arrested and could be extradited to the United States.

25-year-old Connor Moucka was arrested at his home in the Stanley Park area on October 30 on a provisional arrest warrant issued at the request of US authorities.

In the criminal investigation, Moucka, who is alleged to be Alexander Moucka, also known as judische, catist, ellyel8 and waifu, is accused of being a conspirator along with irdev and John Binns, a resident of Turkey, also known as j_irdev1337.

Indictment documents obtained by CBC suggest that individuals other than Moucka and Binns may have been involved in a scheme to “infiltrate the protected computer networks of at least 10 victim organizations.”

Snowflake, which reported the data breach to US authorities a few months ago, is an American-based data storage company with customers including telecommunications giant AT&T, Live Nation’s Ticketmaster and Santander Bank.

The United States District Court for the Western District of Washington issued a warrant for Moucka’s arrest on Oct. 29, according to an unsealed arrest warrant obtained by CBC from the Superior Court of Justice in Kitchener.

He is charged with conspiracy, computer fraud and abuse, computer fraudulent extortion, wire fraud and aggravated identity theft. No charges were filed. His case was adjourned until Friday for an update on his legal aid situation.

Ottawa official says there are defendants awaiting legal aid

The indictment alleges that Moucka and Binns “profited from these schemes through a variety of means, including successfully extorting at least 36 bitcoins (worth approximately $2.5 million at the time of payment) from at least three victims.”

The warrant also says Moucka’s arrest is necessary in the public interest.

“On November 12, Mr. Moucka indicated that he was still awaiting a decision from legal aid,” Ian McLeod, senior advisor for media relations at the Department of Justice Canada, said in a statement emailed to CBC. he said.

“As extradition requests are considered confidential interstate communications, we cannot comment further on this case.”

The US Department of Justice declined to comment. CBC reached out to the prison where Moucka is currently being held, but contact was declined. He is not yet represented by a lawyer.

On May 30, Snowflake posted a notice on its website acknowledging that the company was aware of a possible breach of its online data.

Cybersecurity organizations Crowdstrike and Mandiant Consulting, part of Google Cloud, were assigned to investigate.

“We learned that data from several organizations was stored in Snowflake tenants that an attacker accessed and then made bulk downloads from their Snowflake environments and then used that stolen data to reach out to the organizations and blackmail them,” said Mandiant chief tech Charles Carmichael. the officer said in an interview with CBC.

The company began investigating on April 14 and tracked down approximately 165 potentially exposed organizations operating through Snowflake’s services, according to Carmichael.

WATCH | Here are some tips on how to determine if you’ve been attacked and ways to protect yourself:

How do you know if you’re being attacked and what can you do to protect yourself?

Data breaches, hacks, and ransomware attacks seem to be in the news more often. But cybersecurity experts say there are useful steps you can take to protect yourself after a data breach and prepare for the next one.

Carmichael said the apparent perpetrator, or UNC5537 mentioned throughout the investigation, did not compromise Snowflake but obtained personal information to infiltrate the company.

“The threat actor leveraged stolen credentials for customer tenants and then used that to log in as if they were an employee or contractor of a company with a Snowflake account.”

In June, Mandiant publicly released a report on its findings.

“The first compromise of information-stealing malware occurred on contractor systems that were also used for personal activities such as gaming and downloading pirated software,” the report stated.

Since the pandemic, more people are working from home and using personal computers to access their work environments, Carmichael said.

“We started to really blend business and personal use in systems, and that allowed threat actors to access corporate resources primarily through less protected infrastructure,” he said.

A spokesperson for the company Snowflake declined CBC’s request for comment.

Canadian suspect identified

Although not initially involved in the Snowflake investigation, Unit 221B’s lead investigator, Allison Nixon, said it was threats to investigators within her organization that piqued the security company’s interest.

US-based Unit 221B specializes in cybersecurity consulting, threat intelligence and identification of cybercriminals.

“What was really funny was that we were never going to work on Snowflake. We had never talked to Snowflake, but for some reason (username) Waifu convinced herself (we were),” Nixon explained.

After being targeted by online threats, the security company dug deeper until it found a critical error in operational security made by the person issuing them.

“We found the OPSEC (operational security) mistake he made, and we were half the reason his personal information was deleted. The other half is some anonymous partners.”

While Nixon couldn’t share the exact error, he said the user behind the account later posted false information to various platforms in an attempt to make up for the fact that the user’s identity had been revealed.

Nixon said the company was thrilled when Moucka’s arrest became public knowledge, adding: “It was a huge win.”