JumpCloud Blames North Korean Hackers for BreachThreat Actor is Financially Motivated and Focusing on Cryptocurrency, Says Mandiant
Days after attributing the recent breach in its customer environment, enterprise software company JumpCloud on Thursday confirmed the involvement of a North Korean nation-state actor who appears to be financially motivated to steal cryptocurrency.
JumpCloud Chief Information Security Officer Bob Phan confirmed that "fewer than five JumpCloud customers… and fewer than 10 devices in total were impacted."
Phan said the company serves more than 200,000 organizations who rely on the JumpCloud platform for a variety of identity, access, security and management functions, and it is important to disclose that the attack was extremely targeted and limited to specific customers (See: Software Firm JumpCloud Attacked by Nation-State Actors).
"All impacted customers have been notified directly," Phan said. The investigation is ongoing and U.S. federal law enforcement and private cybersecurity firm CrowdStrike are helping in forensic and incident response activities, he added.
Financially Motivated Actor
While JumpCloud did not name the threat actor behind the surgical attack, and CrowdStrike declined to comment, citing the "active engagement," Reuters, quoting Adam Meyers, senior vice president of intelligence at CrowdStrike, identified the hackers as "Labyrinth Chollima" - one of the most prolific Democratic People's Republic of Korea adversaries tracked by CrowdStrike. It has been active since at least 2009.
Cybersecurity firm Mandiant, which is currently working with one of the downstream victims compromised by the JumpCloud intrusion, also attributed the attack to North Korean hackers.
Austin Larsen, senior incident response consultant for Mandiant, told Information Security Media Group: "Mandiant assesses with high confidence that this is a cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau, targeting companies with cryptocurrency verticals to obtain credentials and reconnaissance data."
He said that this is a financially motivated threat actor that Mandiant has seen increasingly target the cryptocurrency industry and various blockchain platforms. "The blending and sharing of DPRK's cyber infrastructure makes attribution oftentimes difficult, however targeting remains consistent," Larsen said.
According to Mitre, Labyrinth Chollima is closely associated with the notorious North Korean Lazarus Group, and their tactics and techniques often overlap. SentinelOne Senior Threat Researcher Tom Hegel who studied the indicators of compromise recently shared by JumpCloud, tweeted that he is "highly confident in attributing the JumpCloud intrusion IOCs to North Korean threat actors" and suspects Lazarus could be involved, though more specifics are needed to pinpoint the accuracy.
Hegel, in a blog post, explained how he had linked the indicators of compromise to the APT infrastructure attributed to DPRK.
"It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks," Hegel said. "The JumpCloud intrusion serves as a clear illustration of their inclination toward supply chain targeting, which yields a multitude of potential subsequent intrusions. The DPRK demonstrates a profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks."