© Reuters. A thumbnail of people holding computers in front of a North Korean flag in this illustration taken July 19, 2023. REUTERS/Dado Rovic/Illustration
2/2
Written by Christopher Bing and Raphael Sater
A North Korean government-backed hacking group breached a US IT management company and used it as a springboard to target cryptocurrency companies, the company and cybersecurity experts said Thursday.
The company said in a blog post that hackers broke into JumpCloud in Louisville, Colorado, in late June and used their access to the company’s systems to target “less than 5” of its customers.
JumpCloud didn’t identify the affected customers, but cybersecurity firms CrowdStrike Holdings (NASDAQ:) — which is helping JumpCloud — and Alphabet-owned Mandiant — which is helping a JumpCloud customer — both said the hackers involved are known to focus on stealing cryptocurrency.
Two people familiar with the matter confirmed that the JumpCloud customers targeted by the hacks were cryptocurrency companies.
The hack shows how North Korean cyber spies, who used to be content to hunt down cryptocurrency companies piecemeal, are now taking on companies that could give them broader access to their many eventual victims – a tactic known as a “supply chain attack”.
“In my opinion, North Korea is stepping up its game,” said Tom Heigl, who works for an American company. The guard is one (NYSE:) Mandiant and CrowdStrike attribution have been independently confirmed.
Pyongyang’s mission to the United Nations in New York did not respond to a request for comment. North Korea has previously denied organizing cryptocurrency theft, despite massive evidence — including UN reports — to the contrary.
CrowdStrike has identified the hackers as “Labyrinth Chollima” – one of several groups allegedly working on behalf of North Korea. Mandiant said the hackers responsible worked for North Korea’s Reconnaissance General Bureau (RGB), the main foreign intelligence agency.
CISA and the FBI declined to comment.
The hack on JumpCloud — whose products are used to help network administrators manage devices and servers — first became public earlier this month when the company emailed customers to say their credentials would change “out of an abundance of caution regarding an ongoing incident.”
In an earlier version of the blog post acknowledging the incident was a hack, JumpCloud traced the intrusion back to June 27. The cybersecurity-focused podcast Risky Business earlier this week quoted two sources as saying North Korea was a suspect in the hacking.
Labyrinth Chollima is one of North Korea’s most prolific hacking groups and is said to be responsible for some of the most daring and disruptive cyber hacks in the isolated country. Its theft of cryptocurrency has resulted in the loss of staggering sums: Blockchain analytics firm Chainalysis said last year that North Korea-linked groups stole an estimated $1.7 billion in digital cash via multiple hacks.
Pyongyang’s hacking teams should not be underestimated, said Adam Myers, CrowdStrike’s senior vice president of intelligence.
“I don’t think this is the last thing we will see in North Korean supply chain attacks this year,” he said.