The hackers broke into Louisville, Colorado-based JumpCloud
in late June and used their access to the company’s systems to target
"fewer than 5" of its clients, it said in a blog post.
JumpCloud did not identify the customers affected, but
cybersecurity firms CrowdStrike Holdings (CRWD.O) - which is assisting
JumpCloud - and Alphabet-owned Mandiant (GOOGL.O) - which is assisting one of
JumpCloud's clients - both said the hackers involved were known to focus on
cryptocurrency theft.
Two people familiar with the matter confirmed that the
JumpCloud clients targeted by the hackers were cryptocurrency companies.
The hack shows how North Korean cyber spies, once content
with going after digital currency firms piecemeal, are now tackling companies
that can give them broader access to multiple victims downstream - a tactic
known as a "supply chain attack."
“North Korea in my opinion is really stepping up their
game,” said Tom Hegel, who works for U.S. firm SentinelOne (S.N) and
independently confirmed Mandiant and CrowdStrike's attribution.
Pyongyang's mission to the United Nations in New York did
not respond to a request for comment. North Korea has previously denied
organizing digital currency heists, despite voluminous evidence - including
U.N. reports - to the contrary.
CrowdStrike identified the hackers as "Labyrinth
Chollima" - one of several groups alleged to operate on North Korea's
behalf. Mandiant said the hackers responsible worked for North Korea's
Reconnaissance General Bureau (RGB), its primary foreign intelligence agency.
The U.S. cyber watchdog agency CISA and the FBI declined to
comment.
The hack on JumpCloud – whose products are used to help
network administrators manage devices and servers – first surfaced publicly
earlier this month when the firm emailed customers to say their credentials
would be changed “out of an abundance of caution relating to an ongoing
incident.”
In an earlier version of the blog post that acknowledged
that the incident was a hack, JumpCloud traced the intrusion back to June 27.
The cybersecurity-focused podcast Risky Business earlier this week cited two
sources as saying that North Korea was a suspect in the intrusion.
Labyrinth Chollima is one of North Korea’s most prolific
hacking groups and is said to be responsible for some of the isolated country’s
most daring and disruptive cyber intrusions. Its theft of cryptocurrency has
led to the loss of eye-watering sums: Blockchain analytics firm Chainalysis
said last year that North Korean-linked groups stole an estimated $1.7 billion
worthof digital cash across multiple hacks.
CrowdStrike Senior Vice President for Intelligence Adam
Meyers said Pyongyang's hacking squads should not be underestimated.
"I don't think this is the last we'll see of North
Korean supply chain attacks this year," he said.
0 comments:
Post a Comment