North Korean state-backed hackers breached U.S. enterprise software company JumpCloud to target its cryptocurrency clients, security researchers said on Thursday.
JumpCloud, a directory platform that allows enterprises to authenticate, authorize and manage users and devices, said this week that a nation-state actor was behind a June breach of its systems that forced the company to reset customers’ API keys.
While JumpCloud didn’t at the time attribute the hackers to a particular nation, researchers at cybersecurity companies CrowdStrike and SentinelOne have today attributed the breach to North Korea-backed hackers called Lazarus, a well-known group known for targeting crypto entities such as the Ronin Network and Harmony’s Horizon Bridge. Incident responders at Mandiant also attributed the hack to North Korea.
CrowdStrike has linked the JumpCloud attack to “Labyrinth Chollima,” a sub-group of the notorious Lazarus hacking group that was also linked to the recent supply-chain attacks targeting enterprise phone maker 3CX. CrowdStrike senior vice president for intelligence Adam Meyers told Reuters that the hackers, which the cybersecurity company has been tracking since 2009 and describes as one of the “most prolific DPRK adversaries,” has a history of targeting individuals related to the cryptocurrency sector. North Korea has a long history of using crypto-stealing operations to fund its sanctioned nuclear weapons program.
Separately, SentinelOne researcher Tom Hegel confirmed that indicators of compromise (IOCs) shared by JumpCloud are “linked to a wide variety of activity we attribute to DPRK.” Hegel said in a tweet he was “highly confident” in attributing the breach to North Korea, and said the hackers may have also been behind a recent social engineering campaign targeting GitHub customers.
The “low-volume” campaign targeted the personal accounts of employees of technology firms, GitHub said in a blog post last week, many of which are connected to the blockchain, cryptocurrency or online gambling sectors. GitHub attributed the targeting to “a group operating in support of North Korean objectives,” tracked as TraderTraitor by CISA.
“Based on public details available as of this writing, it’s unclear if the GitHub alert originated from the JumpCloud incident or if they are separate efforts by the same attacker,” Hegel said.
Mandiant, which is working with a customer that was compromised by the JumpCloud breach, confirmed on Thursday it “assesses with high confidence” that the hackers are a cryptocurrency-focused element within North Korea’s Reconnaissance General Bureau, or RGB. Mandiant said this hacking unit targets companies “with cryptocurrency verticals to obtain credentials and reconnaissance data.”
Later, JumpCloud confirmed CrowdStrike’s findings and said fewer than five customers — and fewer than 10 devices — were compromised by the hackers. JumpCloud’s software is used by more than 180,000 organizations, and the company has more than 5,000 paying customers.
“Upon detecting the incident, we immediately took action based on our incident response plan to mitigate the threat, secure our network and perimeter, communicate with our customers, and engage law enforcement,” JumpCloud spokesperson Josie Judy told TechCrunch earlier in the day.
In May, U.S. officials announced new sanctions against North Korea’s army of illicit IT workers, which they claim have fraudulently gained employment around the world to finance the regime’s weapons of mass destruction programs. The U.S. State Department is also offering rewards of up to $10 million for information that could help disrupt North Korean hackers.
Updated with comment from Mandiant, and later with an update from JumpCloud.
Comment