It's now clear that the North Korean-linked Lazarus Group was behind what’s being called a supply chain attack focused on cryptocurrency and blockchain platforms via JumpCloud two weeks after the Colorado-based software company informed its customers that it was invalidating its API keys.
In a blog post July 20, SentinelLabs researchers reported that they tied the indicators of compromise (IOCs) released by JumpCloud to the North Korean advanced persistent threat group (APT).
“What we’re able to see is a connection in server infrastructure used by the attacker,” explained Tom Hegel, a senior threat researcher at SentinelLabs. “We profile threat actor infrastructure and the many ways they link together through design and use. In this case we can link the IOCs to unique infrastructure owned and operated by DPRK [Democratic People's Republic of Korea], allowing a highly confident assessment of attribution.”
It was Hegel who confirmed in a tweet July 20 that the attack was tied to the Lazarus Group, a well-known cybercrime group that has been responsible for many high-profile hacking cases, including the Sony hack in 2014 and WannaCry in 2017.
In the tweet, Hegel said: “Highly confident in attributing the JumpCloud intrusion IOCs to North Korean threat actors. #Lazarus Group APT at a high level, but we may be able to get more specific if the malware ever goes public.”
In a July 20 update to its original announcement, JumpCloud CISO Bob Phan confirmed that the company was working with CrowdStrike on incident response. Phan added that fewer than five of its customers were affected by the North Korean hack, and a total of 10 devices were believed to have been impacted.
SentinelLabs said in Thursday’s blog that the JumpCloud intrusion serves as a clear illustration of the Lazarus Group’s inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions. The researchers said DPRK demonstrates a “profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks.”
Also on Thursday, Reuters reported that in working with JumpCloud to investigate the breach, CrowdStrike confirmed that Labyrinth Chollima, a subset of the Lazarus Grouip, was behind the breach.
Timothy Morris, chief security advisor at Tanium, said Lazarus was also behind the recent 3CX supply chain breach. Morris said the 3CX breach generated many targets, so it would stand to reason that the JumpCloud attack was very targeted to go after more victims within the finance and cryptocurrency space.
“JumpCloud’s home page identifies such companies, like GoFundMe,” said Morris. “The attackers were in JumpCloud’s network for two weeks without being detected and subsequently were inside a subset of JumpCloud’s customers for an additional week. I suspect that more victims will be realized, as is the case with most supply chain attacks. For an attacker, they are the gift that keeps on giving.”
Mandiant reported Thursday that it was working with a downstream victim that was compromised as a result of the JumpCloud intrusion. Based on its initial analysis, Mandiant assessed with high confidence that it was a cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau (RGB), targeting companies with cryptocurrency verticals to obtain credentials and reconnaissance data.
“This is a financially motivated threat actor that we’ve seen increasingly target the cryptocurrency industry and various blockchain platforms,” said Austin Larsen, senior incident response consultant at Mandiant Google Cloud. “The blending and sharing of DPRK’s cyber infrastructure makes attribution oftentimes difficult, however targeting remains consistent and we anticipate there are other victims that are dealing with this."
