Security researchers say they have high confidence that North Korean hackers were behind a recent intrusion into enterprise software company JumpCloud due to a mistake the hackers made.
Security group Mandiant, which is helping one of JumpCloud’s affected customers, blamed the breach on hackers working for North Korea’s General Reconnaissance Office, known as RGB, a hacking unit that targets cryptocurrency companies and steals passwords from executives and security teams. North Korea has long used cryptocurrency theft to finance its sanctioned nuclear program.
In a blog post, Mandiant said the hacking unit, which it calls UNC4899 (since it’s a new unclassified threat group), mistakenly exposed their real-world IP addresses. North Korean hackers often used commercial VPN services to hide their IP addresses, but on “many occasions” the VPNs failed or the hackers did not use them when accessing the victim’s network, exposing their access from Pyongyang.
Mandiant said his evidence supports that this was “an OPSEC oversight,” referring to operational security, the way hackers try to prevent information about their activity from leaking as part of their hacking campaigns. Investigators also discovered additional infrastructure used in this intrusion that had previously been used in attacks attributed to North Korea.
“North Korea-related threat actors continue to enhance their cyber offensive capabilities to steal cryptocurrency. In the past year, we have seen them carry out multiple supply chain attacks, poison legitimate software, and develop and deploy custom malware on MacOS systems,” said Charles Carmakal, CTO of Mandiant. “Ultimately, they want to compromise companies with cryptocurrency and have found creative ways to do that. But they also make mistakes that have helped us pin various intrusions on them.”
CrowdStrike and SentinelOne also confirmed that North Korea was behind the JumpCloud hack.
JumpCloud said in a brief post last week that fewer than five of its corporate customers and fewer than 10 devices were targeted by the North Korean hacking campaign. JumpCloud reset its customers’ API keys after reporting the breach in June. JumpCloud has more than 200,000 business customers, including GoFundMe, ClassPass, and Foursquare.
Although JumpCloud has reported that only a few of its clients and devices were affected by the intrusion, the attack by North Korean hackers could have serious consequences for the affected companies. Security experts warn that hackers could have stolen sensitive information and passwords from executives and security teams, potentially compromising the security of companies.
Additionally, the JumpCloud intrusion highlights the growing threat posed by nation-state-sponsored hackers. These hackers, backed by foreign governments, have the resources and skills to carry out highly sophisticated and persistent attacks. It is critical that companies take proactive steps to protect against these threats by implementing robust security measures and maintaining constant vigilance over their IT infrastructure.
On the other hand, the attribution of the intrusion to North Korea highlights the need for closer international cooperation in the fight against cybercrime. Cyber attacks know no borders and require a globally coordinated response. Governments and businesses must work together to share threat intelligence, exchange best practices, and strengthen cybersecurity around the world.
In short, North Korean hackers’ attack on JumpCloud systems highlights the growing dangers of nation-state-sponsored cybercrime. It is critical that businesses are prepared to deal with these threats and take proactive steps to protect themselves. In addition, greater international cooperation is required to effectively combat cybercrime and ensure global cybersecurity.
CyberSec84 | Cybersecurity news. 
Leave a comment