Connect with us

Hi, what are you looking for?



JumpCloud Cyberattack Linked to North Korean Hackers

SentinelOne has linked the recent JumpCloud cyberattack to North Korean hackers, based on the published IoCs.

The cyberattack that directory, identity, and access management company JumpCloud fell victim to in late June can be attributed to North Korean advanced persistent threat (APT) activity, cybersecurity company SentinelOne says.

JumpCloud revealed last week that the attack started on June 22 with a spear-phishing email campaign, and that it resulted in data being injected into its commands framework a few weeks later.

Attributing the incident to a “sophisticated nation-state sponsored threat actor”, the company announced that the attack was extremely targeted, focusing on a limited set of customers.

JumpCloud did not share specific information on the number of impacted customers, nor on the type of data compromised in the attack. The company provides solutions to over 180,000 organizations.

“JumpCloud recently experienced a cybersecurity incident that impacted a small and specific set of our customers. Upon detecting the incident, we immediately took action based on our incident response plan to mitigate the threat, secure our network and perimeter, communicate with our customers, and engage law enforcement,” a JumpCloud spokesperson told SecurityWeek, responding to an inquiry.

After analyzing the indicators of compromise (IoCs) that JumpCloud shared last week, SentinelOne identified links to North Korean state-sponsored activities.

“The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns,” SentinelOne says.

Advertisement. Scroll to continue reading.

The IoCs that JumpCloud shared allowed the cybersecurity firm to map out the attackers’ infrastructure, identifying domains that were constructed using patterns observed in previous North Korean incidents.

SentinelOne also identified links to various NPM and ‘package’ themed infrastructure, and to infrastructure linked to the TraderTraitor campaign, the 3CX hack, and the AppleJeus operation, all attributed to North Korean hackers.

“It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks. The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions,” SentinelOne notes.

Mandiant has also linked the attack to a North Korean threat actor while investigating a downstream victim that was a result of this attack. 

“Mandiant is currently working with a downstream victim that was compromised as a result of JumpCloud intrusion. Based on our initial analysis, Mandiant assesses with high confidence that this is a cryptocurrency-focused element within the DPRK’s Reconnaissance General Bureau (RGB), targeting companies with cryptocurrency verticals to obtain credentials and reconnaissance data,” Austin Larsen, Mandiant Senior Incident Response Consultant at Google Cloud, told SecurityWeek.

“This is a financially motivated threat actor that we’ve seen increasingly target the cryptocurrency industry and various blockchain platforms. The blending and sharing of DPRK’s cyber infrastructure makes attribution oftentimes difficult, however targeting remains consistent and we anticipate there are other victims that are dealing with this,” Larsen added.

*updated with information from Mandiant

Related: North Korean Hackers Caught Using Malware With Microphone Wiretapping Capabilities

Related: North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft

Related: US, South Korea Detail North Korea’s Social Engineering Techniques

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...