North Korean state-backed hackers breached U.S. enterprise software program firm JumpCloud to focus on its cryptocurrency shoppers, safety researchers mentioned on Thursday.
JumpCloud, a listing platform that enables enterprises to authenticate, authorize and handle customers and units, mentioned this week {that a} nation-state actor was behind a June breach of its methods that compelled the corporate to reset clients’ API keys.
Whereas JumpCloud didn’t attribute the hackers to a specific nation, researchers at cybersecurity firms Crowdstrike and SentinelOne have at present attributed the breach to North Korea-backed hackers referred to as Lazarus, a well known group recognized for focusing on crypto entities such because the Ronin Community and Concord’s Horizon Bridge.
CrowdStrike has linked the JumpCloud assault to a “Labyrinth Chollima,” a sub-group of the infamous Lazarus hacking group that was additionally linked to the latest supply-chain assaults focusing on enterprise cellphone maker 3CX. CrowdStrike senior vp for intelligence Adam Meyers advised Reuters that the hackers, which the cybersecurity firm has been monitoring since 2009 and describes as one of many “most prolific DPRK adversaries,” has a historical past of focusing on people associated to the cryptocurrency sector. North Korea has a protracted historical past of utilizing crypto-stealing operations to fund its sanctioned nuclear weapons program.
Individually, SentinelOne researcher Tom Hegel confirmed that indicators of compromise (IOCs) shared by JumpCloud are “linked to all kinds of exercise we attribute to DPRK.” Hegel mentioned in a tweet he was “extremely assured” in attributing the breach to North Korea, and mentioned the hackers might have additionally been behind a latest social engineering marketing campaign focusing on GitHub clients.
The “low-volume” marketing campaign focused the private accounts of workers of expertise corporations, GitHub mentioned in a weblog put up final week, a lot of that are linked to the blockchain, cryptocurrency, or on-line playing sectors. GitHub attributed the focusing on to “a gaggle working in help of North Korean aims,” tracked as TraderTraitor by CISA.
“Primarily based on public particulars obtainable as of this writing, it’s unclear if the GitHub alert originated from the JumpCloud incident or if they’re separate efforts by the identical attacker,” Hegel mentioned.
When requested by TechCrunch, JumpCloud declined to say whether or not the researchers’ findings had been per its personal however mentioned the incident impacted a “small and particular” set of shoppers. JumpCloud’s software program is utilized by over 180,000 organizations, and the corporate has greater than 5,000 paying clients.
“Upon detecting the incident, we instantly took motion based mostly on our incident response plan to mitigate the risk, safe our community and perimeter, talk with our clients, and have interaction regulation enforcement,” JumpCloud spokesperson Josie Judy advised TechCrunch.
In Could, U.S. officers introduced new sanctions in opposition to North Korea’s military of illicit IT staff, which they declare have fraudulently gained employment world wide to finance the regime’s weapons of mass destruction applications. The U.S. State Division can be providing rewards of as much as $10 million for info that might assist disrupt North Korean hackers.
