JumpCloud cloud directory-as-a-service provider unfazed a cyberattack that first came to light, which has been attributed to a North Korean hacking group.
The attack was first detected as anomalous activity on an internal orchestration system and was traced back to a sophisticated spear-phishing campaign by a threat actor on June 22. A forensic investigation then led to the discovery of further unusual activity in the company’s network, resulting in JumpCloud resetting customers’ admin application programming interface keys.
JumpCloud attributed the attack to a sophisticated nation state sponsored threat actor but didn’t name a country or suspected hacking group. Now CrowdStrike, which worked with JumpCloud to investigate the breach, has attributed it to the North Korean hacking group “Labyrinth Chollima.”
Labyrinth Chollima, also known as threat actor UNC4736 and Apple Jesus, was linked to the hack of popular video conferencing and business phone management application provider 3CX in March. The group has also been linked to the infamous North Korean hacking group Lazarus.
Research report suggests that the intrusion illustrates the propensity of North Korean threat actors to target supply chains, allowing them to launch multiple subsequent intrusions. The report also provides evidence that these actors understand the benefits derived from carefully selecting high-value targets as a pivot point for conducting supply chain attacks into fruitful networks.
The two security companies linking the attack to North Korea are not enough, Mandiant makes it three: it also confirmed the intrusion came from North Korea.
Since JumpCloud has confirmed that the attack was from North Korea, fewer than five JumpCloud customers and fewer than ten devices were impacted out of the company’s more than 200,000 customers.