A cybersecurity breach carried out by a North Korean government-backed hacking group has targeted an American IT management company, exploiting it as a stepping stone to attack cryptocurrency businesses, according to the IT firm and cybersecurity experts.
The hacking group infiltrated JumpCloud, based in Louisville, Colorado, in late June, and from there, they focused on fewer than five of the company’s clients, as disclosed in a recent blog post by JumpCloud.
While the identities of the affected clients were not revealed by JumpCloud, cybersecurity firms CrowdStrike Holdings and Mandiant, which are assisting JumpCloud and one of its clients respectively, confirmed that the hackers have a history of targeting cryptocurrency theft.
It has been reported that the targeted clients were indeed cryptocurrency companies. This incident highlights a concerning trend where North Korean cyber spies are moving beyond attacking digital currency firms individually and instead opting for a “supply chain attack” strategy. This allows them to gain access to multiple downstream victims by targeting companies connected to the primary target.
Tom Hegel, an expert working for US firm SentinelOne, independently corroborated the attribution made by CrowdStrike and Mandiant, and emphasized that North Korea is intensifying its cyber espionage efforts.
The mission of Pyongyang to the United Nations did not respond to requests for comments, and despite overwhelming evidence, including UN reports, North Korea has repeatedly denied its involvement in digital currency heists.
CrowdStrike identified the hacking group as “Labyrinth Chollima,” one of several groups believed to act on behalf of North Korea, while Mandiant revealed that the hackers are affiliated with North Korea’s Reconnaissance General Bureau (RGB), the country’s primary foreign intelligence agency.
Both the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI declined to comment on the matter.
The attack on JumpCloud, a company known for providing products to help manage devices and servers for network administrators, came to light earlier this month when the company informed its customers about the need to change their credentials due to an ongoing security incident.
Rumors of North Korea’s potential involvement in the attack circulated prior to the confirmation. Labyrinth Chollima is renowned for being one of North Korea’s most prolific hacking groups, responsible for audacious and disruptive cyber intrusions.
Their cryptocurrency thefts have amounted to staggering sums, with an estimated value of US$1.7 billion ($2.5 billion) in digital cash stolen across various hacks, according to Blockchain analytics firm Chainalysis.
CrowdStrike’s Senior Vice President for Intelligence, Adam Meyers, cautioned against underestimating North Korea’s hacking capabilities, predicting that more supply chain attacks might occur throughout the year.