Cryptocurrency Fraud
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Threat Actor Is Financially Motivated Focusing on Cryptocurrency, Says Mandiant
Days after attributing the recent breach in its customer environment, enterprise software company JumpCloud on Thursday confirmed the involvement of a North Korean nation-state actor who appears to be financially motivated to steal cryptocurrency.
JumpCloud Chief Information Security Officer Bob Phan confirmed that “fewer than five JumpCloud customers… and fewer than 10 devices in total were impacted.”
Bob said the company serves more than 200,000 organizations who rely on the JumpCloud platform for a variety of identity, access, security and management functions, and is important to disclose that the attack was extremely targeted and limited to specific customers.
“All impacted customers have been notified directly,” Bob said. The investigation is ongoing and U.S. federal law enforcement and private cybersecurity firm CrowdStrike are helping in forensic and incident response activities, he added.
Financially Motivated Actor
While JumpCloud did not name the threat actor behind the surgical attack and Crowdstrike declined commenting citing the “active engagement,” Reuters, quoting Adam Meyers, senior vice president of intelligence at Crowdstrike, identified the hackers as “Labyrinth Chollima” – one of the most prolific Democratic People’s Republic of Korea adversaries tracked by CrowdStrike and has been active at least since 2009.
Another cybersecurity firm Mandiant, which is currently working with one of the downstream victims compromised by the JumpCloud intrusion also attributed the attack to North Korean hackers.
Austin Larsen, senior incident response consultant for Mandiant told Information Security Media Group, “Mandiant assesses with high confidence that this is a cryptocurrency-focused element within the DPRK’s Reconnaissance General Bureau [RGB], targeting companies with cryptocurrency verticals to obtain credentials and reconnaissance data.”
He further stated that this is a financially motivated threat actor that Mandiant has seen increasingly target the cryptocurrency industry and various blockchain platforms. “The blending and sharing of DPRK’s cyber infrastructure makes attribution oftentimes difficult, however targeting remains consistent,” Larsen said.
According to Mitre, Labyrinth Chollima is closely associated to the notorious North Korean Lazarus Group and their tactics and techniques often overlap. SentinelOne Senior Threat Researcher Tom Hegel who studied the recently shared indicators of compromise by JumpCloud tweeted that he is “highly confident in attributing the JumpCloud intrusion IOCs to North Korean threat actors” and suspects Lazarus could be involved, though more specifics are needed to pinpoint the accuracy.
Hegel in a blogpost explained how he linked the indicators of compromise to the APT infrastructure attributed to DPRK.
“It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks,” Hegel said. “The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions. The DPRK demonstrates a profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks.”