US-based enterprise software company JumpCloud was breached by North Korean Lazarus Group hackers, according to security researchers at SentinelOne, CrowdStrike, and Mandiant.
In a report published on Thursday, SentinelOne Senior Threat Researcher Tom Hegel linked the North Korean threat group to the JumpCloud hack based on multiple indicators of compromise shared by the company in a recent incident report.
“Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state sponsored APT,” said Hegel.
“The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.”
Cybersecurity firm CrowdStrike also formally tagged Labyrinth Chollima (whose activity overlaps with that of Lazarus Group, ZINC, and Black Artemis) as the particular North Korean hacking squad behind the breach based on evidence found while investigating the attack in collaboration with JumpCloud.
“One of their primary objectives has been generating revenue for the regime. I don’t think this is the last we’ll see of North Korean supply chain attacks this year,” CrowdStrike Vice President for Intelligence Adam Meyers told Reuters.
Mandiant also pinned the attack on an unnamed North Korean threat actor known for targeting cryptocurrency organizations.
“Mandiant assesses with high confidence that this is a cryptocurrency-focused element within the DPRK’s Reconnaissance General Bureau (RGB), targeting companies with cryptocurrency verticals to obtain credentials and reconnaissance data,” Senior Incident Response Consultant Austin Larsen told BleepingComputer.
“This is a financially motivated threat actor that we’ve seen increasingly target the cryptocurrency industry and various blockchain platforms.”
Larsen also said that the attackers have already hit a downstream victim after breaching JumpCloud, with Mandiant anticipating that there are other victims currently dealing with the attack’s fallout.
This hacking group has been active for over a decade, since at least 2009, and is known for attacks against high-profile targets worldwide, including banks, government agencies, and media organizations.
In April, Mandiant said that another North Korean threat group tracked as UNC4736 was behind the cascading supply chain attack that hit VoIP firm 3CX in March. UNC4736 is related to the Lazarus Group behind Operation AppleJeus, which was connected by Google TAG to the compromise of Trading Technologies’ website, the 3CX developer.
JumpCloud confirms hack by APT group
On June 27th, JumpCloud discovered an incident where “a sophisticated nation-state sponsored threat actor” breached its systems through a spear-phishing attack. Although there was no immediate evidence of customer impact, JumpCloud proactively rotated credentials and rebuilt compromised infrastructure as a precautionary measure.
During the investigation, on July 5th, JumpCloud detected “unusual activity in the commands framework for a small set of customers.” Collaborating with incident response partners and law enforcement, it also analyzed logs for signs of malicious activity and force-rotated all admin API keys.
In an advisory published on July 12th, JumpCloud shared details of the incident and released indicators of compromise (IOCs) to help partners secure their networks against attacks from the same group.
As of now, JumpCloud has not disclosed the number of customers impacted by the attack and has not attributed the APT group behind the breach to a specific state.
Headquartered in Louisville, Colorado, JumpCloud operates a directory-as-a-service platform providing single sign-on and multi-factor authentication services to over 180,000 organizations across more than 160 countries.
Update July 20, 13:00 EDT: Added Mandiant statement and information on at least one downstream victim.
Update July 20, 14:36 EDT: JumpCloud has now also confirmed that a North Korean APT group was behind the June attack.
We can confirm that CrowdStrike is our incident response partner. We can also report that we identified and CrowdStrike confirmed the nation-state actor involved was North Korea. Importantly, fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations who rely on the JumpCloud platform for a variety of identity, access, security, and management functions. All impacted customers have been notified directly. — Bob Phan, JumpCloud CISO