According to a blog post by the Colorado-based IT management company JumpCloud, hackers associated with North Korea infiltrated JumpCloud’s systems in late June. The hackers then used their access to JumpCloud’s systems to target less than 5 of JumpCloud’s clients. While JumpCloud did not disclose the identities of the affected clients, cybersecurity firms CrowdStrike and Mandiant stated that the hackers are known to focus on stealing cryptocurrency. CrowdStrike is assisting JumpCloud with investigating the breach, and Mandiant is assisting one of the affected JumpCloud clients that was compromised by the hackers.
Based on two anonymous sources, the hacked JumpCloud clients targeted by the North Korean hackers were cryptocurrency companies. This attack demonstrates how North Korean cyber spies, rather than hacking cryptocurrency firms individually, are now infiltrating companies like JumpCloud to gain access to multiple cryptocurrency targets downstream. This tactic is known as a “supply chain attack.” Tom Hegel of the cybersecurity firm SentinelOne, who independently confirmed the North Korean origin of the attack, stated that North Korea appears to be escalating and refining their hacking capabilities. By compromising a company like JumpCloud, the North Korean hackers were able to use it as a launch pad to breach multiple cryptocurrency firms downstream.
The North Korean mission to the United Nations in New York did not respond to a request for comment on the hacking incident. Despite extensive evidence implicating them, including UN reports, North Korea has previously denied carrying out cryptocurrency heists.
The cybersecurity firm CrowdStrike identified the hackers as a group known as “Labyrinth Chollima”, which they allege operates on behalf of North Korea. Mandiant stated that the hackers are part of North Korea’s Reconnaissance General Bureau, the country’s main foreign intelligence agency. Though North Korea denies organizing such digital currency attacks, cybersecurity experts have amassed significant evidence that hacker groups like Labyrinth Chollima work under the direction of Pyongyang.
The US cybersecurity agencies CISA and FBI declined to comment on the JumpCloud hack.
The breach first became public earlier this month when JumpCloud emailed customers that their credentials would be reset due to an ongoing security incident. In an earlier version of their blog post acknowledging the hack, JumpCloud said the intrusion occurred on June 27th. The cybersecurity podcast Risky Business cited anonymous sources this week stating North Korea was suspected in the attack.
JumpCloud’s products help IT administrators manage devices and servers. By compromising JumpCloud’s systems, the hackers gained access to tools used by the company’s clients to control their own IT infrastructure. This gave the hackers an opportunity to breach multiple downstream cryptocurrency firms by hijacking JumpCloud’s administrative access.
Labyrinth Chollima is considered one of North Korea’s most capable hacking groups, responsible for some of the country’s boldest and most disruptive cyber attacks. They have stolen massive sums of cryptocurrency, with blockchain analytics firm Chainalysis estimating North Korean-linked hackers stole $1.7 billion in digital cash last year alone.
According to CrowdStrike’s Adam Meyers, North Korea’s hacking capabilities should not be underestimated. He believes this latest supply chain attack on JumpCloud will not be their last this year, as Pyongyang continues to refine its cyber warfare tactics. North Korea frequently denies responsibility for such hacks, but experts have amassed extensive evidence tracing intrusions back to North Korean groups like Labyrinth Chollima that operate under the direction of Pyongyang’s intelligence agencies.
