JumpCloud was hit by North Korean hackers looking to steal crypto

American enterprise software firm JumpCloud has confirmed the data breach it recently suffered was dealt by the hands of the infamous Lazarus Group. 

The North Korean state-sponsored actors managed to use the successful breach to target several JumpCloud clients but according to the firm, the attack was contained before any serious damage could be done.

The cloud storage firm had reported suffering a cyberattack at the hands of “a sophisticated nation-state sponsored threat actor”. The attacker, the company said, engaged in spear phishing, which gave it access to its endpoints. Even though JumpCloud did not immediately find any evidence of impact on customers, it refreshed important credentials and rebuilt compromised infrastructure.

Targeting customers

Further investigation uncovered that in early July 2023, there was “unusual activity in the commands framework for a small set of customers”. Soon afterwards, the company released more details about the incident from which cybersecurity researchers Mandiant identified the attackers as Lazarus. At the same time, researchers from both SentinelOne and CrowdStrike came to the same conclusion.

“We can also report that we identified and CrowdStrike confirmed the nation-state actor involved was North Korea. Importantly, fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations who rely on the JumpCloud platform for a variety of identity, access, security, and management functions. All impacted customers have been notified directly,” Bob Phan, JumpCloud CISO said in an announcement.

Lazarus Group is a well-known threat actor working for the North Korean government. The group is usually after companies dealing with cryptocurrencies.

“Mandiant assesses with high confidence that this is a cryptocurrency-focused element within the DPRK’s Reconnaissance General Bureau (RGB), targeting companies with cryptocurrency verticals to obtain credentials and reconnaissance data,” Senior Incident Response Consultant Austin Larsen told BleepingComputer.

“This is a financially motivated threat actor that we’ve seen increasingly target the cryptocurrency industry and various blockchain platforms.”

Via: BleepingComputer

Related Post