Breach Details
A renowned North Korean-backed hacking group recently infiltrated JumpCloud, an American IT management firm based in Louisville, Colorado. Sources intimate with the situation revealed that the hackers then used this breach as a launch pad to further target companies dealing with cryptocurrency, aiming to siphon off their digital assets.
The nature of this cyber assault demonstrates an evolving strategy among North Korean hackers. Previously, they would individually target cryptocurrency entities; however, their modus operandi now seems to involve attacking a single gateway company that has connections to multiple cryptocurrency sources.
JumpCloud’s Response
JumpCloud conceded the breach in a blog post, suggesting a “nation-state sponsored threat actor” was responsible. However, the company remained tight-lipped when questioned about the specific perpetrators or the affected clientele. While a representative from JumpCloud confirmed that less than five clients had been affected, there is yet no clarity on whether any digital currency was absconded during the breach.
Expert Confirmations
CrowdStrike Holdings, a prominent cybersecurity firm, corroborated that the group identified as “Labyrinth Chollima” – a notorious band of North Korean cyber operatives – orchestrated this cyber intrusion. Adam Meyers, Senior Vice President for Intelligence at CrowdStrike, refrained from elaborating on the hackers’ goals but did underscore their historical propensity to target cryptocurrency holdings. He remarked, “Their main goal seems to revolve around financing the regime.”
Unraveling the Modus Operandi
Tom Hegel, a cybersecurity researcher from SentinelOne, highlighted the shift in North Korea’s hacking approach. Not directly involved in the investigation, Hegel emphasized how North Korea has honed its skill in “supply chain attacks.” Such strategies involve infiltrating service or software providers to indirectly siphon data or funds from their clients. Hegel warned, “North Korea is certainly upping their ante.”
Furthermore, Hegel plans to publish a post emphasizing how digital clues released by JumpCloud link the hackers to activities typically associated with North Korea.
Reactions and Background
Both the U.S. cyber watchdog agency, CISA, and the FBI refrained from commenting on the issue.
This breach at JumpCloud, a company specializing in assisting network administrators, came to light when the firm notified clients that their credentials were being altered due to “an incident.” Subsequently, JumpCloud revealed in a blog post that they had traced the breach back to June 27. Risky Business, a podcast specializing in cybersecurity, has also identified North Korea as a prime suspect in the attack.
Labyrinth Chollima, notorious for its audacious cyber exploits, is one of North Korea’s foremost hacking entities. Their history is riddled with immense thefts of digital currency. In a staggering revelation, blockchain analytics entity Chainalysis reported last year that North Korean hackers had pilfered an estimated $1.7 billion in cryptocurrencies across multiple operations.
Meyers from CrowdStrike cautioned about underestimating the North Korean cyber brigades and anticipates more such supply chain attacks from them in the future.
