JumpCloud Hackers Likely Targeting GitHub Accounts TooTargets Include Blockchain, Crypto, Online Gambling and Cybersecurity Sectors
Suspected North Korean hackers who targeted enterprise software firm JumpCloud are likely behind a social engineering campaign targeting the personal GitHub accounts of employees from major technology firms - including those in the cybersecurity sector.
GitHub earlier this week said with "high confidence" that a North Korean state-sponsored threat group Jade Sleet is supporting Pyongyang's objectives and targeting personal GitHub user accounts connected to blockchain, cryptocurrency and online gambling sectors. The U.S. Cybersecurity and Infrastructure Security Agency is tracking the group as TraderTraitor.
"A few targets were also associated with the cybersecurity sector," GitHub said in its security alert.
Targeting cryptocurrency exchanges and blockchain-related companies is most commonly attributed to hackers under the Kim Jong Un regime. In 2022, North Korean hackers targeted crypto firms and stole at least $1.7 billion worth of cryptocurrency to fund its nuclear weapons program, said blockchain analysis firm Chainalysis (see: Banner Year for North Korean Cryptocurrency Hacking).
South Korea's state intelligence agency on Wednesday reportedly said that its northern neighbor stole millions worth of cryptocurrency last year, enough money to enable the dictatorship "to fire 30 intercontinental ballistic missiles."
"We estimate that the amount of money earned by its hackers accounts for about 30% of North Korea's total foreign currency earnings," a senior official from the South Korean National Intelligence Service said.
Social Engineering Tactics
GitHub said the threat actor created fake persona accounts on GitHub and other social media platforms to trap victims, but also observed some legitimate accounts taken over. "We identified fake personas that operated on LinkedIn, Slack and Telegram. The actor may initiate contact on one platform and then attempt to move the conversation to another platform," GitHub said.
After gaining the victim's trust, the threat actor entices them to collaborate on a GitHub repository and clone and execute the contents. "The GitHub repository contains software that includes malicious
npm dependencies," the security alert said. The software themes used by the threat actor vary from media players to cryptocurrency trading tools.
npm packages act as first-stage malware that downloads and executes second-stage malware on the victim's machine. "The threat actor often publishes their malicious packages only when they extend a fraudulent repository invitation, minimizing the exposure of the new malicious package to scrutiny," GitHub said.
The widely used hosting service provider for software developers said it has suspended the
npm and GitHub accounts associated with the campaign and filed abuse reports with domain hosts used for downloading the malicious packages in cases where the domain was still available at the time of detection.
Link with JumpCloud Hackers
JumpCloud on Thursday confirmed the involvement of a North Korean nation-state actor in a recent breach that impacted less than five of its customers (see: JumpCloud Blames North Korean Hackers for Breach).
SentinelOne Senior Threat Researcher Tom Hegel, who studied the indicators of compromise recently shared by JumpCloud, tweeted that one of the IP addresses shared by JumpCloud - 144.217.92[.]197 - is being used by the npmaudit[.]com domain name, which links the GitHub attackers' infrastructure.
"Based on the timing of this, I'm going to assume it's related to the JumpCloud intrusion but that's just my outsider perspective here," Hegel said.
Github noted that the mechanics of the first-stage malware are detailed in a blog by Phylum Security. "Phylum's work, conducted completely independent of GitHub, mirrors our own research," GitHub said.
Hegel was quick to point out that the ongoing NPM campaign detailed by Phylum includes infrastructure that overlaps with the JumpCloud and GitHub findings and that he is highly confident that it is the work of the North Korean Lazarus group.