North Korean hacking group “Labyrinth Chollima” has been identified as the culprit behind the breach of U.S. enterprise software company JumpCloud, security researchers confirmed on Thursday.
The hack initially occurred on June 27 but was not identified until last week after a post-mortem was conducted. JumpCloud, which is a directory platform that allows enterprises to authenticate, authorize, and manage users and devices, immediately reset its customers’ API keys and reasoned that it was due to an “ongoing, but unspecified” security incident.
Lazarus Group’s Subordinate Targets JumpCloud’s Crypto Clients
In the post-mortem report, JumpCloud determined that a nation-state actor had gained unauthorized access to its systems and had targetted a “small and specific” group of customers. The enterprise software solutions provider reached out to cybersecurity firms to find out those responsible.
CrowdStrike Holdings, Mandiant, and SentinelOne got to work and attributed the breach to Labyrinth Chollima, a sister group of the notorious Lazarus, which is a popular hacking group backed by the North Korean government that has been continuously targeting crypto firms. Lazarus was behind the infamous Ronin Network and Harmony’s Horizon Bridge hacks.
The group is also responsible for launching cyberattacks on crypto firms and companies contracted by defense agencies to steal digital currencies and military information to fuel North Korea’s weapons programs.
Adam Meyers, the senior vice president of CrowdStrike told reports that the hackers were some of the most prolific adversaries of North Korea and have a history of targeting companies and individuals related to the cryptocurrency sector.
JumpCloud first detected suspicious activity on the platform on June 27 and tracked it back to a spearphishing attack 5 days earlier. CISO Bob Phan said the first time, the security team could not identify any customers who were affected by the hack.
It was only on July 7 that JumpCloud discovered unusual activity in its commands framework for a small group of customers, which according to people familiar with the matter were the firm’s crypto clients.
JumpCloud, whose products are used to support network administrators manage devices and servers, provides software solutions to more than 180,000 organizations and 5,000 paying customers, including GoFundMe, Foursquare, Beyond Finance, Grab, and Cars.com.
The company informed law enforcement authorities of the attack and published “indicators of compromise” (IOCs) to help other agencies identify similar attacks. According to cybersecurity researcher Tom Hegel of SentinelOne, the IOCs shared by JumpCloud were found to be similar to a wide variety of activities conducted by North Korean hacking groups. He suspects that Labyrinth Chollima may have also been behind a recent campaign targeting GitHub users.
The Group Is On The Lookout For Clients Linked To Crypto Companies
Last week, the personal accounts of tech firms employees took place on the cloud-based software development platform GitHub. The company then published a blog post stating that the attack targeted customers connected to the blockchain, cryptocurrency, or online gambling businesses.
However, it is not clear whether the GitHub incident was linked to JumpCloud or if they were separate attacks carried out by the same group. No information about the customers affected by the hack was revealed by both companies.
Alphabet-owned security firm Mandiant, which is working with one of the victims of the JumpCloud breach, confirmed that the hackers were part of a crypto-focused unit within North Korea’s Reconnaissance General Bureau (RGB). according to Mandiant, this team targets companies with links to the crypto sector to obtain credentials and reconnaissance data.
Upon thorough investigation, CorwdStrike discovered that fewer than 5 customers and about 10 devices were compromised by the hackers. JumpCloud also confirmed the findings.
A spokesperson for JumpCloud said the company took immediate action upon detecting the illegal activity and mitigated the threat by securing its network and perimeter to safeguard customers.
Bob Phan promised to enhance security measures to protect users from future threats and will work closely with government officials and “industry partners” to share all information related to the attack.
North Korean hacking groups have wreaked havoc on the cryptocurrency sector and security analysts warn there will be more on the way. Blockchain analytics firm Chainalysis released a report last year stating that groups linked to the country stole an estimated $1.7 billion in digital assets via hacks on multiple crypto platforms.