In a concerning development, a North Korean government-backed hacking group successfully breached an American IT management company, utilizing it as a launchpad to target cryptocurrency companies. Two reliable sources familiar with the matter disclosed this information.
The hackers gained unauthorized access to JumpCloud, a company based in Louisville, Colorado, in late June. Using this access, they proceeded to target JumpCloud’s cryptocurrency company clients with the aim of stealing digital currencies, the sources reported.
This incident highlights a shift in North Korean cyber espionage tactics. Previously content with targeting individual crypto firms, the hackers are now setting their sights on companies like JumpCloud that can provide them access to multiple sources of bitcoin and other digital assets.
JumpCloud confirmed the hack in a recent blog post, attributing it to a “sophisticated nation-state sponsored threat actor.” However, they did not respond to Reuters’ inquiries regarding the perpetrator’s identity or the extent of the clients affected. A JumpCloud spokesperson mentioned that fewer than five customers were impacted, and TechGenez could not verify if any digital currency was actually stolen as a result of the hack.
Cybersecurity firm CrowdStrike Holdings, which is collaborating with JumpCloud to investigate the breach, verified that the hacking group behind the attack is known as “Labyrinth Chollima,” a specific squad of North Korean hackers. Adam Meyers, the Senior Vice President for Intelligence at CrowdStrike, refrained from disclosing the hackers’ specific objectives but emphasized their history of targeting cryptocurrency firms.
Meyers stated, “One of their primary objectives has been generating revenue for the regime.”
Despite voluminous evidence, including U.N. reports, North Korea has consistently denied involvement in digital currency heists. However, independent research supported CrowdStrike’s assertion.
Cybersecurity researcher Tom Hegel, not involved in the investigation, noted that the JumpCloud intrusion is part of a series of recent breaches indicating North Korea’s proficiency in “supply chain attacks.” These sophisticated hacks compromise software or service providers to steal data or money from downstream users. Hegel, employed by U.S. firm SentinelOne, remarked, “North Korea, in my opinion, is really stepping up their game.”
In a forthcoming blog post, Hegel is set to provide more details linking the hackers to activities previously attributed to North Korea.
While both the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI declined to comment on this particular incident, the breach on JumpCloud is only the latest in a string of daring and disruptive cyber intrusions attributed to North Korea’s Labyrinth Chollima group.
This hacking group has been particularly adept at stealing digital currencies, leading to substantial financial losses. In fact, according to blockchain analytics firm Chainalysis, North Korean-linked groups pilfered an estimated $1.7 billion worth of digital cash across various hacks last year.
CrowdStrike’s Meyers warned against underestimating Pyongyang’s hacking squads, stating, “I don’t think this is the last we’ll see of North Korean supply chain attacks this year.”
The incident has raised concerns among cybersecurity experts and authorities, urging increased vigilance among companies dealing with sensitive data, especially in the cryptocurrency industry.
The hack on JumpCloud, a company whose products aid network administrators in managing devices and servers, came to public attention when the firm notified its customers earlier this month that their credentials would be changed due to an “ongoing incident,” as revealed in a blog post by the company.
In the aftermath of the breach, JumpCloud traced the intrusion back to June 27. The cybersecurity-focused podcast, Risky Business, recently cited two sources pointing to North Korea as the main suspect behind the attack.
“Labyrinth Chollima” is renowned as one of North Korea’s most prolific hacking groups and has been responsible for audacious and disruptive cyber intrusions. Their involvement in cryptocurrency theft has resulted in substantial financial losses, with blockchain analytics firm Chainalysis estimating that North Korean-linked groups stole around $1.7 billion worth of digital currencies through multiple hacks last year.
CrowdStrike’s Adam Meyers underscored the significance of North Korean hacking groups’ financial motives, emphasizing their role in generating revenue for the regime. This latest breach, with its focus on supply chain attacks, exemplifies North Korea’s evolving cyber capabilities and the need for heightened vigilance in the face of such threats.
While the U.S. cyber watchdog agency CISA and the FBI declined to comment on the specific incident, cybersecurity experts and authorities are urging companies, especially those operating in the cryptocurrency sector, to fortify their security measures and be cautious of potential supply chain attacks.
The incident involving JumpCloud serves as a stark reminder of the growing risks faced by companies as cyber espionage tactics continue to evolve. As these hacking groups become more sophisticated and aggressive, organizations must prioritize their cybersecurity efforts and stay ahead of the ever-changing threat landscape.
For now, the focus remains on investigating the extent of the breach, identifying affected clients, and understanding if any digital currency was indeed stolen. As the investigation unfolds, cybersecurity professionals will closely monitor the situation to assess any further threats posed by North Korean hackers and other state-sponsored threat actors.
The incident has also prompted discussions among policymakers about the need for international cooperation to counter and deter cyber threats. Addressing state-sponsored cyber attacks and their potential consequences in the digital realm will require collective efforts from governments, businesses, and cybersecurity experts to safeguard critical infrastructure and protect sensitive data.
