The advisory recommends that Snowflake customers perform hunting activities for malicious activity in their systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about the recent threat actor campaign targeting users of Snowflake and urging customers to proactively look for malicious activity.

In the advisory, CISA pointed to a post from Snowflake on Sunday, which came in response to allegations that Snowflake was the third-party cloud database mentioned by Ticketmaster owner Live Nation in a regulatory filing.

[Related: Here Is Snowflake’s Plan To Drive AI Sales For Partners: Channel Chief]

In a filing with the U.S. Securities and Exchange Commission Friday, Live Nation said that it had “identified unauthorized activity within a third-party cloud database environment” on May 20.

CISA’s advisory does not mention the Ticketmaster breach but does point to the “recent increase in cyber threat activity targeting [Snowflake] customer accounts,” which Snowflake had disclosed in its post.

“Snowflake issued a recommendation for users to query for unusual activity and conduct further analysis to prevent unauthorized user access,” CISA said in its advisory. “Users and administrators are encouraged to hunt for any malicious activity, report positive findings to CISA, and review the [posted] Snowflake notice for additional information.”

CRN has reached out to Snowflake for comment.

Live Nation did not mention Snowflake in the SEC filing Friday. However, a Ticketmaster spokesperson told media outlets that the affected cloud database was operated by Snowflake.

However, customers were not impacted as a result of compromised Snowflake employee credentials or a breach of the Snowflake platform, the company said in its post.

“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration or breach of Snowflake’s platform,” the company said.

In addition, “we have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel,” Snowflake said.

Rather than a breach or compromised Snowflake employee credentials, the company said in its post that it believes that “threat actors have leveraged credentials previously purchased or obtained through infostealing malware.”

“This appears to be a targeted campaign directed at users with single-factor authentication,” Snowflake said.

Snowflake said in its post that incident response teams from CrowdStrike and Mandiant agree with the company’s preliminary findings.

“Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, are providing a joint statement related to our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts,” the company said in its post.

ShinyHunters is the hacker group believed to be behind the breach, according to multiple media reports. In 2021, the group was connected to a breach of Astoria Co., and media reports have also tied the ShinyHunters threat group to the breach of Santander Bank that the bank had disclosed in mid-May.