North Korean Hackers Breach JumpCloud, Signaling a Shift in Crypto-Heist Strategy
According to Reuters, JumpCloud, an American IT management company based in Louisville, Colorado, confirmed a system breach in late June 2023 by a North Korean government-backed hacking group . The hackers targeted JumpCloud's cryptocurrency company clients, marking a strategic shift in their operations.
JumpCloud, an identity and access management firm, is a preferred choice for many crypto projects for infrastructure services. For instance, Chiliz, a leading player in the crypto industry, has chosen JumpCloud as a Mobile Device Management Solution for its fast-growing global team. The company serves over 180,000 organizations and more than 5,000 paying customers.
Previously, North Korean cyber spies focused on individual crypto companies. However, this recent attack indicates a change in their approach, now targeting companies that can provide access to multiple sources of digital currencies. The exact number of affected companies remains unspecified.
JumpCloud acknowledged the breach in a blog post, attributing the hack to a "sophisticated nation-state sponsored threat actor" but did not disclose specific details about the perpetrator or the affected clients.
Cybersecurity firm CrowdStrike Holdings confirmed that "Labyrinth Chollima," a notorious squad of North Korean hackers, was behind the breach. Adam Meyers, the firm's Senior Vice President for Intelligence, noted that these hackers have a history of targeting cryptocurrency entities.
The JumpCloud intrusion is part of a series of recent breaches demonstrating North Korea's proficiency in "supply chain attacks," according to independent research by cybersecurity researcher Tom Hegel. Despite North Korea's denial of organizing digital currency heists, substantial evidence, including U.N. reports, contradicts these claims.
JumpCloud's Chief Information Security Officer (CISO), Bob Phan, reported that the first detected anomalous activity occurred on June 27, 2023, traced back to a spearphishing campaign initiated by the threat actor on June 22, 2023.
By July 5, 2023, JumpCloud discovered unusual activity in its commands framework for a small set of customers, leading to the resetting of all admin API keys and the notification of affected customers.
In response to the attack, JumpCloud has committed to enhancing its security measures to protect its customers from future threats. The company will continue to work closely with government and industry partners to share information related to this threat.
The attack vector used by the unnamed state-backed hackers has been mitigated, and law enforcement has been notified about the attack.