New research reveals last month's JumpCloud breach was carried out by a North Korean government-backed hacking group – all in a bid to target cryptocurrency firms.
Cybersecurity researchers from SentinalOne, Crowd Strike and Alphabet-owned Mandiant all contributed to the report, which was released Thursday and in collaboration with JumpCloud.
“Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state sponsored APT, “ wrote SentinelOne senior researcher Tom Hegel in a summary of the report.
The hackers are known to work for the North Korea's Reconnaissance General Bureau (RGB), its primary foreign intelligence agency, Mandiant said.
In a step further, CrowdStrike also linked the evidence to the hacker gang Labyrinth Chollima, considered an overlap of another North Korean state-sponsored faction, the Lazarus group.
“Labyrinth Chollima “is one of the most prolific Democratic People’s Republic of Korea (DPRK) adversaries tracked by CrowdStrike and has been active at least since 2009,” according to the security firm.
Hegel tweeted the trio was “highly confident” attributing the “JumpCloud intrusion IOCs to North Korean threat actors” followed by the hashtag #Lazarus.
Hegel stated the researchers could be “more specific if the malware ever goes public.”
JumpCloud intrusion
The hackers broke into the Louisville, Colorado-based JumpCloud in late June and used their access to the company’s systems to target "fewer than 5" of its clients, Jumpcloud said in a blog post.
JumpCloud did not identify the customers affected, but researchers said the hackers involved were known to focus on cryptocurrency theft.
Two people familiar with the matter confirmed that the JumpCloud clients targeted by the hackers were cryptocurrency companies.
The hack shows how North Korean cyber spies, once content with going after digital currency firms piecemeal, are now tackling companies that can give them broader access to multiple victims downstream - a tactic known as a "supply chain attack."
"The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions,” Hegel said.
The hack on JumpCloud – whose products are used to help network administrators manage devices and servers – first surfaced publicly earlier this month when the firm emailed customers to say their credentials would be changed “out of an abundance of caution relating to an ongoing incident.”
The investigation identified dozens of malicious IP addresses and hashes to block and avoid at all costs, JumpCloud said.
The IT management company is urging its clients to use the data from the research to beef up perimeter security.
North Korean sponsored hackers
“North Korea in my opinion is really stepping up their game. It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks,” Hegel said.
The Lazarus sub group Labyrinth Chollima is said to be responsible for some of the isolated country’s most daring and disruptive cyber intrusions.
Its theft of cryptocurrency has led to the loss of eye-watering sums: Blockchain analytics firm Chainalysis said last year that North Korean-linked groups stole an estimated $1.7 billion worth of digital cash across multiple hacks.
Lazarus is also known by the names APT 38, Black Artemis, Zinc, and as Hidden Cobra by the US government.
In February, Lazarus launched a hacking campaign aimed at public and private research organizations, medical research, and the energy sector, including their supply chains.
CrowdStrike Senior Vice President for Intelligence Adam Meyers said Pyongyang's hacking squads should not be underestimated.
"I don't think this is the last we'll see of North Korean supply chain attacks this year," he said.
Pyongyang's mission to the United Nations in New York did not respond to a request for comment.
North Korea has previously denied organizing digital currency heists, despite voluminous evidence - including U.N. reports - to the contrary. Its cryptocurrency industry is said to be mainly crime-related and backed by the state.
North Korea allegedly has around 6,000 hackers who operate in over 150 countries. 10% of North Korea’s GDP comes from cybercrime – specifically, fraud, theft, and ransomware.
The 2019 UN security council report stated that since 2016, North Korea has been increasingly relying on hacking to generate income for the country's treasury.
It is believed that most of the proceeds from these criminal activities are likely allocated to the national defense budget – to fund nuclear and missile testing.
More from Cybernews:
Nice Suzuki, sport: shame dealer left your data up for grabs
Through a Glass Darkly: are you an innovator or a laggard when it comes to tech?
Apple working on ChatGPT rival – report
Netflix revenue numbers disappoint, overshadow subscriber growth
Subscribe to our newsletter
Your email address will not be published. Required fields are marked