A North Korean government-backed group of hackers broke into a US IT management company and used it as a springboard to target an unknown number of cryptocurrency companies, according to two sources familiar with the matter.
Hackers broke into Louisville, Colorado-based JumpCloud in late June and used their access to company systems to target their cryptocurrency business clients in an effort to steal digital cash, the sources said.
The hack shows how North Korean cyberspies, previously content to go after cryptocurrency companies one at a time, are now targeting companies that can give them access to multiple sources of bitcoin and other digital currencies.
JumpCloud, which acknowledged the hack in a blog post last week and attributed it to a “sophisticated nation-state sponsored threat actor”, did not respond to questions from Reuters about who specifically was behind the hack and which customers were affected. Reuters was unable to find out if any digital currency was ultimately stolen as a result of the hack.
Cybersecurity company CrowdStrike Holdings, which is working with JumpCloud to investigate the breach, confirmed that “Labyrinth Chollima” – a name given to a specific North Korean hacker squad – was behind the breach.
CrowdStrike Senior Vice President of Intelligence Adam Meyers declined to comment on what the hackers were looking for, but noted that they had a history of attacking cryptocurrency targets.
“One of their main objectives has been to generate revenue for the regime,” he said.
Pyongyang’s mission to the United Nations in New York did not immediately respond to a request for comment. North Korea has previously denied orchestrating digital currency thefts, despite voluminous evidence – including UN reports – to the contrary.
An independent investigation backed up CrowdStrike’s claim.
Cybersecurity researcher Tom Hegel, who was not involved in the investigation, told Reuters the JumpCloud intrusion was the latest in several recent breaches showing how the North Koreans have become adept at “supply chain attacks,” or elaborate hacks that work by compromising software or service providers to steal data or money from downstream users.
“In my opinion, North Korea is really stepping up its game,” said Hegel, who works for the US company SentinelOne.
In a blog post to be published on Thursday, Hegel said digital indicators released by JumpCloud linked the hackers to activity previously attributed to North Korea.
The US cyber surveillance agency CISA and the FBI declined to comment.
The JumpCloud hack – whose products are used to help network administrators manage devices and servers – first came to light earlier this month, when the firm emailed customers to tell them their credentials would be changed “out of an abundance of caution in connection with an ongoing incident.”
In the blog post acknowledging that it was a hack, JumpCloud traced the intrusion back to June 27. The cybersecurity-focused Risky Business podcast earlier this week cited two sources as saying North Korea was a suspect in the intrusion.
Labyrinth Chollima is one of North Korea’s most prolific hacker groups and is said to be responsible for some of the most daring and disruptive cyber intrusions into the isolated country. Its cryptocurrency thefts have led to the loss of vast sums: Blockchain analysis firm Chainalysis claimed last year that North Korea-linked groups stole an estimated $1.7 billion worth of digital cash through multiple hacks.
CrowdStrike’s Meyers said Pyongyang’s hacker squads should not be underestimated.
“I don’t think this is the last we’ll see of North Korean attacks on the supply chain this year,” he said.
CyberSec84 | Cybersecurity news. 
Leave a comment