For the past two months, cybercriminals have advertised for sale hundreds of millions of customer records from major companies like Ticketmaster, Santander Bank, and AT&T. And while massive data breaches have been a fact of life for more than a decade now, these recent examples are significant, because they are all connected. Each victim company was a customer of the cloud data storage firm Snowflake and was compromised not through a sophisticated hack, but because attackers had login credentials for each victim company’s Snowflake accounts—a data-stealing spree that impacted at least 165 Snowflake customers.
Attackers didn’t grab this trove of logins by directly breaching Snowflake or through a targeted supply chain attack. Instead, they found the credentials in a hodgepodge of stolen data grabbed haphazardly by “infostealer” malware.
After years of operation, infostealers are having a moment. The malware, which often finds its way onto people’s machines through downloads of pirated software, can steal usernames and passwords, cookies, search history, financial information, and more from web browsers. This data collected by infostealers is increasingly being used by all kinds of hackers to compromise companies—and cybersecurity experts warn of more high-profile data breaches to come.
“We’ve seen nation-states leverage infostealers, we’ve seen criminals leverage infostealers, and we’ve seen teenage hacking crews leverage infostealers,” says Charles Carmakal, chief technology officer of Google-owned cybersecurity firm Mandiant. Russia’s APT29 hackers and cybercriminal gangs such as Lapsus$ and Scattered Spider are among the many hackers using infostealers. Just days after the global CrowdStrike outage, hackers created a new infostealer in an attempt to capitalize on the chaos.
Infostealers are defined less by their technical capabilities and more by their role in the malicious hacker ecosystem. Of course, to minimally qualify, they must be designed to steal information. But what separates infostealers from spyware or other malware used in espionage or targeted data breaches is that infostealers are spread opportunistically and indiscriminately. They grab data from the browsers of whatever computers they end up infecting. Then the attackers who run them compile and organize this chaotic and largely random assemblage of data—often on a marketplace or in a public forum like a Telegram channel. It is only then that infostealer operators or their customers comb their haul for valuable credentials and access tokens amidst the massive amount of junk. Ian Gray, director of analysis and research at the security firm Flashpoint, says there are likely hundreds of variants of infostealers in circulation.
There are some account access tokens that would have obvious value for many types of cybercriminals. If a data dump included working login credentials for a corporate employee’s enterprise accounts, a ransomware gang, business email compromise scammer, or state-backed actor could use the access as a jumping off point to launch their attacks. But in addition to selling these prized details, infostealer operators maximize the value of the data they collect simply by making their stolen data available. Platforms like Genesis Market, which was taken down by law enforcement last year, and Russian Market, organize infostealer logs and even make them somewhat searchable so hackers who are looking to target more niche organizations or those who don’t have financial motivations can potentially find exactly what they need.
These platforms take cues in how they are designed and marketed from legitimate information and ecommerce services. Many markets and forums charge a subscription fee to access the platform and then have different pricing structures for data depending on how valuable it might be. Currently, Gray says, Russian Market has so much stolen data available from infostealers that it has been charging a low flat rate, typically no more than $10, for any subset of data users want to download.
“Organizations have become very good with their security, and people have also gotten more savvy, so they’re not the best targets now,” for traditional tailored attacks, Gray says. “So attackers need something that’s less targeted and more based on what they can make use of. Infostealers are modular and often sold on a subscription basis, and that evolution probably aligns with the rise of modern subscription services like video streaming.”
Infostealers have been especially effective with the rise of remote work and hybrid work, as companies adapt to allowing employees to access work services from personal devices and personal accounts from work devices. This creates opportunities for infostealers to randomly compromise individuals on, say, their home computers but still end up with corporate access credentials because the person was logged into some of their work systems as well. It also makes it easier for infostealing malware to get around corporate protections, even on enterprise devices, if employees are able to have their personal email or social media accounts open.
“I started paying attention to this once it became an enterprise problem,” Mandiant’s Carmakal says. “And particularly around 2020, because I started seeing more intrusions of enterprises first starting from compromises of home computers—through phishing of people’s Yahoo accounts, Gmail accounts, and Hotmail accounts that were totally unrelated to any enterprise targeting, but to me look very opportunistic.”
Victoria Kivilevich, director of threat research at security firm KELA, says that in some instances criminals can use cybercrime markets to search for the domain of potential targets and see if any credentials are available. Kivilevich says the sale of infostealer data can be considered as the “supply chain” for various types of cyberattacks, including ransomware operators looking for the details of potential victims, those involved in business email compromise, and even initial access brokers who can sell the details along again to other cybercriminals.
On various cybercrime marketplaces and Telegram, Kivilevich says, there have been more than 7,000 compromised credentials linked to Snowflake accounts being shared. In one instance, a criminal has been touting access to 41 companies from the education sector; another cybercriminal claims to be selling access to US companies with revenues between $50 million and $8 billion, according to Kivilevich’s analysis.
“I don’t think there was one company that came to us and had zero accounts compromised by infostealer malware,” Kivilevich says of the threat that infostealer logs provide to businesses, with KELA saying infostealer-related activity jumped in 2023. Irina Nesterovsky, KELA’s chief research officer, says millions of credentials have been collected by infostealing malware in recent years. “This is a real threat,” Nesterovsky says.
Carmakal says there are multiple steps companies and individuals can take to protect themselves from the threat of infostealers and their aftereffects, including using antivirus or EDR products to detect malicious activity. Companies should be strict on enforcing multifactor authentication across their users, he says. “We try to encourage people to not synchronize passwords on their corporate devices with their personal devices,” Carmakal adds.
The use of infostealers has been working so well that it is all but inevitable that cybercriminals will look to replicate the success of compromise sprees like Snowflake and get creative about other enterprise software services that they can use as entry points for access to an array of different customer companies. Carmakal warns that he expects to see this result in more breaches in the coming months. “There’s no ambiguity about this,” he says. “Threat actors will start hunting for infostealer logs, and looking for other SaaS providers, similar to Snowflake, where they log in and steal data, and then extort those companies.”