Experts believe North Korea behind JumpCloud supply chain attack

SentinelOne researchers attribute the recent supply chain attacks on JumpCloud to North Korea-linked threat actors.

JumpCloud is a cloud-based directory service platform designed to manage user identities, devices, and applications in a seamless and secure manner. It allows IT administrators to centralize and simplify their identity and access management tasks across various systems and applications.

The company revealed it was hit by a nation-state cyberattack that targeted specific customers.

In response to the attack, JumpCloud has invalidated existing API keys to protect its customers’ operations.

“Out of an abundance of caution relating to an ongoing incident, JumpCloud has decided to invalidate all API Keys for JumpCloud Admins,” explained the company through the support page.

The investigation confirmed that the attack was extremely targeted and aimed at specific customers.

The attackers were able to inject data into JumpCloud’s commands framework.

The company created and shared a list of IOCs (Indicators of Compromise) for this attack.

“These are sophisticated and persistent adversaries with advanced capabilities.” states the Security Update.

While JumpCloud did not attribute the attack to a specific threat actor,

SentinelOne researchers analyzed the indicators of compromise associated with the attack and attributed it to North Korea-linked APT groups.

“Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state sponsored APT. The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.” states SentinelOne.

SentinelOne analyzed the attack infrastructure and found attack patterns that overlap the activity of North Korea-linked APT groups. SentinelOne experts discovered that the IP address 144.217.92[.]197, linked to the JumpCloud attack, resolves to npmaudit[.]com, one of the domains listed by GitHub because was used to fetch the second-stage malware. It is unclear if the domains listed by GitHub alert were involved in the JumpCloud incident or if they are separate efforts by the threat actors.

The attackers demonstrated the ability to execute multiple levels of supply chain intrusions that can be also exploited in financially motivated attacks.

“It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks. The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions.” concludes SentinelOne.

JumpCloud is investigating the incident with the support of cybersecurity firm CrowdStrike. CrowdStrike also linked the attack to North Korean APT groups such as Labyrinth Chollima.

According to the experts, the nation-state actors hacked the software firm to target its customers in the cryptocurrency industry.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)