North Korean state-backed hackers breached U.S. enterprise software company JumpCloud to target its cryptocurrency clients, security researchers said on Thursday.
JumpCloud, a directory platform that allows enterprises to authenticate, authorize and manage users and devices, said this week that a nation-state actor was behind a June breach of its systems that forced the company to reset customers’ API keys.
While JumpCloud didn’t attribute the hackers to a particular nation, researchers at cybersecurity companies Crowdstrike and SentinelOne have today attributed the breach to North Korea-backed hackers called Lazarus, a well-known group known for targeting crypto entities such as the Ronin Network and Harmony’s Horizon Bridge.
CrowdStrike has linked the JumpCloud attack to a “Labyrinth Chollima,” a sub-group of the notorious Lazarus hacking group that was also linked to the recent supply-chain attacks targeting enterprise phone maker 3CX. CrowdStrike senior vice president for intelligence Adam Meyers told Reuters that the hackers, which the cybersecurity company has been tracking since 2009 and describes as one of the “most prolific DPRK adversaries,” has a history of targeting individuals related to the cryptocurrency sector. North Korea has a long history of using crypto-stealing operations to fund its sanctioned nuclear weapons program.
Separately, SentinelOne researcher Tom Hegel confirmed that indicators of compromise (IOCs) shared by JumpCloud are “linked to a wide variety of activity we attribute to DPRK.” Hegel said in a tweet he was “highly confident” in attributing the breach to North Korea, and said the hackers may have also been behind a recent social engineering campaign targeting GitHub customers.
The “low-volume” campaign targeted the personal accounts of employees of technology firms, GitHub said in a blog post last week, many of which are connected to the blockchain, cryptocurrency, or online gambling sectors. GitHub attributed the targeting to “a group operating in support of North Korean objectives,” tracked as TraderTraitor by CISA.
“Based on public details available as of this writing, it’s unclear if the GitHub alert originated from the JumpCloud incident or if they are separate efforts by the same attacker,” Hegel said.
When asked by TechCrunch, JumpCloud declined to say whether the researchers’ findings were consistent with its own but said the incident impacted a “small and specific” set of customers. JumpCloud’s software is used by over 180,000 organizations, and the company has more than 5,000 paying customers.
“Upon detecting the incident, we immediately took action based on our incident response plan to mitigate the threat, secure our network and perimeter, communicate with our customers, and engage law enforcement,” JumpCloud spokesperson Josie Judy told TechCrunch.
In May, U.S. officials announced new sanctions against North Korea’s army of illicit IT workers, which they claim have fraudulently gained employment around the world to finance the regime’s weapons of mass destruction programs. The U.S. State Department is also offering rewards of up to $10 million for information that could help disrupt North Korean hackers.