A Kitchener, Ont., man accused of taking part in a massive hacking scheme affecting cloud storage provider Snowflake has been arrested and may be extradited to the United States.
Connor Moucka, 25, was arrested on Oct. 30 at his Stanley Park area home on a provisional warrant following a request by U.S. authorities.
Moucka — alleged to be the person also known as Alexander Moucka, judische, catist, ellyel8 and waifu in the criminal investigation — is accused of being a co-conspirator along with John Binns, a resident of Turkey also known as irdev and j_irdev1337.
Indictment documents also obtained by CBC suggest others beyond Moucka and Binns may have been involved in the scheme to “hack into at least 10 victim organizations’ protected computer networks.”
Snowflake, which reported the data breach to U.S. authorities several months ago, is an American-based data storage company, with customers including telecommunications giant AT&T, Live Nation’s Ticketmaster and Santander Bank.
According to an unsealed arrest warrant obtained by CBC from the Superior Court of Justice in Kitchener, the United States District Court for the Western District of Washington issued the warrant for Moucka’s arrest on Oct. 29.
He’s accused of conspiracy, computer fraud and abuse, extortion in relation to computer fraud, wire fraud and aggravated identity theft. No charges have been laid. His case was remanded to Friday for an update on his legal aid status.
Accused waiting for legal aid, Ottawa official says
The indictment documents allege Moucka and Binns “profited from these schemes through several means, including by successfully extorting at least 36 bitcoin (worth approximately $2.5 million at the time of payment) from at least three victims.”
The warrant also says Moucka’s arrest was necessary in the public interest.
“On Nov. 12, Mr. Moucka indicated that he is still waiting for a decision from legal aid,” Ian McLeod, senior adviser of media relations with the Department of Justice Canada, said in an emailed statement to CBC.
“As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case.”
The U.S. Department of Justice declined to comment. CBC reached out to the jail where Moucka is currently being held but was denied communication. He is not yet represented by a lawyer.
On May 30, Snowflake posted a notice to its website acknowledging it was aware of a possible compromise of the company’s online data.
Cybersecurity organizations Crowdstrike and Mandiant Consulting, which is part of Google Cloud, were hired to investigate.
“We learned that a number of organizations had their data stored in Snowflake tenants which an adversary was accessing and then mass downloading from Snowflake environments and then using that stolen data to reach out to organizations and then extort them,” Charles Carmichael, Mandiant’s chief technology officer, said in an interview with CBC.
According to Carmichael, the company began investigating on April 14 and tracked roughly 165 potentially exposed organizations operating with Snowflake’s services.
Data breaches, hacks and ransomware attacks seem to be in the news more often. But cybersecurity experts say there are helpful steps you can take to protect yourself in the wake of a data breach, and to prepare for the next time it happens.
Carmichael said the apparent perpetrator, or UNC5537 as he was referred to throughout the investigation, didn’t compromise Snowflake but gained personal information to infiltrate the company.
“The threat actor had leveraged stolen credentials for customer tenants and then used that to log in as if they were an employee or contractor of the company that had a Snowflake account.”
In June, Mandiant publicly released a report of its findings.
“The initial compromise of infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software,” reads the report.
Carmichael said that since the pandemic, more people have been working from home and using personal computers to access work environments.
“We’ve started really blending work and personal use on systems, and that’s enabled threat actors to essentially get access to corporate resources by way of less protected infrastructure,” he said.
A spokesperson for Snowflake, the company, declined CBC’s request for comment.
Identifying the suspect from Canada
Though not initially involved in the Snowflake investigation, Allison Nixon, chief researcher with Unit 221B, said threats against researchers within her organization is what piqued the security company’s interest.
U.S.-based Unit 221B specializes in cybersecurity consulting, threat intelligence and identifying cyber criminals.
“What’s really funny is we weren’t going to work on Snowflake at all. We had never talked to Snowflake, but for some reason, [username] Waifu convinced himself [we were],” Nixon explained.
After being targeted by online threats, the security company dug deeper until they found a critical mistake made within the operations security by the person who posted them.
“We found the OPSEC [operations security] slip-up that he made and we’re like half the reason that he got doxxed. The other half are some unnamed partners.”
Though Nixon wasn’t able to share the exact mistake, she said the user behind the account later posted misinformation to various platforms in an attempt to offset the fact the user’s identity was revealed.
When it became public knowledge that Moucka had been arrested, Nixon said, the company was thrilled, adding: “It was a huge win.”