Security researchers say they have high confidence that North Korean hackers were behind a recent intrusion at enterprise software company JumpCloud because of a mistake the hackers made.
Mandiant, which is assisting one of JumpCloud’s affected customers, attributed the breach to hackers working for North Korea’s Reconnaissance General Bureau, or RGB, a hacking unit that targets cryptocurrency companies and steals passwords from executives and security teams. North Korea has long used crypto thefts to fund its sanctioned nuclear weapons program.
In a blog post, Mandiant said the hacking unit, which it calls UNC4899 (since it’s a new, unclassified threat group), mistakenly exposed their real-world IP addresses. The North Korean hackers would often use commercial VPN services to mask their IP addresses, but on “many occasions” the VPNs failed to work or the hackers did not use them when accessing the victim’s network, exposing their access from Pyongyang.
Mandiant said its evidence supports that this was “an OPSEC slip up,” referring to operational security — the way in which hackers try to prevent information about their activity leaking as part of their hacking campaigns. The researchers said they also uncovered additional infrastructure used in this intrusion that was previously used by hacks attributed to North Korea.
“North Korea-nexus threat actors continue to improve their cyber offensive capabilities in order to steal cryptocurrency. Over the past year, we’ve seen them conduct multiple supply chain attacks, poison legitimate software, and develop and deploy custom malware onto MacOS systems,” said Mandiant’s CTO Charles Carmakal. “They ultimately want to compromise companies with cryptocurrency and they’ve found creative paths to get there. But they also make mistakes that have helped us attribute several intrusions to them.”
SentinelOne and CrowdStrike also confirmed North Korea was behind the JumpCloud intrusion.
JumpCloud said in a short post last week that fewer than five of its corporate customers and less than 10 devices were targeted by the North Korean hacking campaign. JumpCloud reset its customer API keys after reporting an intrusion in June. JumpCloud has more than 200,000 enterprise customers, including GoFundMe, ClassPass, and Foursquare.