The cyberattack that directory, identity, and access management company JumpCloud fell victim to in late June can be attributed to North Korean advanced persistent threat (APT) activity, cybersecurity company SentinelOne says.
JumpCloud revealed last week that the attack started on June 22 with a spear-phishing email campaign, and that it resulted in data being injected into its commands framework a few weeks later.
Attributing the incident to a “sophisticated nation-state sponsored threat actor”, the company announced that the attack was extremely targeted, focusing on a limited set of customers.
JumpCloud did not share specific information on the number of impacted customers, nor on the type of data compromised in the attack. The company provides solutions to over 180,000 organizations.
“JumpCloud recently experienced a cybersecurity incident that impacted a small and specific set of our customers. Upon detecting the incident, we immediately took action based on our incident response plan to mitigate the threat, secure our network and perimeter, communicate with our customers, and engage law enforcement,” a JumpCloud spokesperson told SecurityWeek, responding to an inquiry.
After analyzing the indicators of compromise (IoCs) that JumpCloud shared last week, SentinelOne identified links to North Korean state-sponsored activities.
“The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns,” SentinelOne says.
The IoCs that JumpCloud shared allowed the cybersecurity firm to map out the attackers’ infrastructure, identifying domains that were constructed using patterns observed in previous North Korean incidents.
SentinelOne also identified links to various NPM and ‘package’ themed infrastructure, and to infrastructure linked to the TraderTraitor campaign, the 3CX hack, and the AppleJeus operation, all attributed to North Korean hackers.
“It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks. The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions,” SentinelOne notes.
Mandiant has also linked the attack to a North Korean threat actor while investigating a downstream victim that was a result of this attack.
“Mandiant is currently working with a downstream victim that was compromised as a result of JumpCloud intrusion. Based on our initial analysis, Mandiant assesses with high confidence that this is a cryptocurrency-focused element within the DPRK’s Reconnaissance General Bureau (RGB), targeting companies with cryptocurrency verticals to obtain credentials and reconnaissance data,” Austin Larsen, Mandiant Senior Incident Response Consultant at Google Cloud, told SecurityWeek.
“This is a financially motivated threat actor that we’ve seen increasingly target the cryptocurrency industry and various blockchain platforms. The blending and sharing of DPRK’s cyber infrastructure makes attribution oftentimes difficult, however targeting remains consistent and we anticipate there are other victims that are dealing with this,” Larsen added.
*updated with information from Mandiant
Related: North Korean Hackers Caught Using Malware With Microphone Wiretapping Capabilities
Related: North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
Related: US, South Korea Detail North Korea’s Social Engineering Techniques
