Pierluigi Paganini July 18, 2023

Software firm JumpCloud announced it was the victim of a sophisticated cyber attack carried out by a nation-state actor.

JumpCloud is a cloud-based directory service platform designed to manage user identities, devices, and applications in a seamless and secure manner. It allows IT administrators to centralize and simplify their identity and access management tasks across various systems and applications.

The company revealed it was hit by a nation-state cyberattack that targeted specific customers.

In response to the attack, JumpCloud has invalidated existing API keys to protect its customer’s operations.

“Out of an abundance of caution relating to an ongoing incident, JumpCloud has decided to invalidate all API Keys for JumpCloud Admins,” explained the company through the support page.

The attack was uncovered by the company on June 27, but threat actors breached its network a week before via a spear-phishing campaign.

The company launched an investigation into the incident with the help of law enforcement and cybersecurity experts.

“today we are publishing details of activity by a sophisticated nation-state sponsored threat actor that gained unauthorized access to our systems to target a small and specific set of our customers. Prior to sharing this information, we notified and worked with the impacted customers. We have also been working with our incident response (IR) partners and law enforcement on both our investigation and steps designed to make our systems and our customers’ operations even more secure.” reads the Security Update published by the software firm on July 12, 2023. “The attack vector used by the threat actor has been mitigated.”

The investigation confirmed that the attack was extremely targeted and aimed at specific customers.

The attackers were able to inject data into JumpCloud’s commands framework.

The company created and shared a list of IOCs (Indicators of Compromise) for this attack.

“These are sophisticated and persistent adversaries with advanced capabilities.” continues the Security Update.

The JumpCloud did not attribute the attack to a specific threat actor 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, JumpCloud)