WASHINGTON, July 20 (Reuters) – A North Korean government-backed hacking group penetrated an American IT administration firm and used it as a springboard to focus on cryptocurrency corporations, the agency and cybersecurity specialists mentioned on Thursday.
The hackers broke into Louisville, Colorado-based JumpCloud in late June and used their entry to the corporate’s techniques to focus on “fewer than 5” of its shoppers, it mentioned in a blog post.
JumpCloud didn’t determine the shoppers affected, however cybersecurity companies CrowdStrike Holdings (CRWD.O) – which is aiding JumpCloud – and Alphabet-owned Mandiant (GOOGL.O) – which is aiding one in every of JumpCloud’s shoppers – each mentioned the hackers concerned had been identified to give attention to cryptocurrency theft.
Two folks accustomed to the matter confirmed that the JumpCloud shoppers focused by the hackers had been cryptocurrency corporations.
The hack reveals how North Korean cyber spies, as soon as content material with going after digital forex companies piecemeal, at the moment are tackling corporations that can provide them broader entry to a number of victims downstream – a tactic often known as a “provide chain assault.”
“North Korea in my view is absolutely stepping up their recreation,” mentioned Tom Hegel, who works for U.S. agency SentinelOne (S.N) and independently confirmed Mandiant and CrowdStrike’s attribution.
Pyongyang’s mission to the United Nations in New York didn’t reply to a request for remark. North Korea has beforehand denied organizing digital forex heists, regardless of voluminous proof – including U.N. reports – on the contrary.
CrowdStrike recognized the hackers as “Labyrinth Chollima” – one in every of a number of teams alleged to function on North Korea’s behalf. Mandiant mentioned the hackers accountable labored for North Korea’s Reconnaissance Basic Bureau (RGB), its main overseas intelligence company.
The U.S. cyber watchdog company CISA and the FBI declined to remark.
The hack on JumpCloud – whose merchandise are used to assist community directors handle gadgets and servers – first surfaced publicly earlier this month when the agency emailed clients to say their credentials could be modified “out of an abundance of warning regarding an ongoing incident.”
In an earlier model of the weblog submit that acknowledged that the incident was a hack, JumpCloud traced the intrusion again to June 27. The cybersecurity-focused podcast Risky Business earlier this week cited two sources as saying that North Korea was a suspect within the intrusion.
Labyrinth Chollima is one in every of North Korea’s most prolific hacking teams and is alleged to be liable for a few of the remoted nation’s most daring and disruptive cyber intrusions. Its theft of cryptocurrency has led to the lack of eye-watering sums: Blockchain analytics agency Chainalysis mentioned final yr that North Korean-linked teams stole an estimated $1.7 billion worthof digital money throughout a number of hacks.
CrowdStrike Senior Vice President for Intelligence Adam Meyers mentioned Pyongyang’s hacking squads shouldn’t be underestimated.
“I do not suppose that is the final we’ll see of North Korean provide chain assaults this yr,” he mentioned.
Reporting by Christopher Bing and Raphael Satter in Washington; Extra reporting by James Pearson in London and Michelle Nichols in New York; Enhancing by Anna Driver, Bernadette Baum, Conor Humphries and Marguerita Choy
Our Requirements: The Thomson Reuters Trust Principles.