North Korean hackers linked to attempted supply-chain attack on JumpCloud customers

North Korean hackers were behind a breach of the software business JumpCloud that formed part of an attempted supply-chain attack targeting cryptocurrency companies, it was reported on Thursday.

JumpCloud — which provides identity and access management tools for enterprise devices — announced earlier this month that a “sophisticated nation-state sponsored threat actor” had managed in June to access its systems as part of an operation targeting “a small and specific set of our customers.”

It was not clear from the company’s statement whether any of its customers were successfully compromised, although JumpCloud said that some were “impacted.”

JumpCloud subsequently released technical details about the attack, which the security company SentinelOne said on Thursday matched those of a known North Korean hacking group. Reuters independently reported that the incident was conducted by Pyongyang-sponsored hackers in order to steal cryptocurrency.

North Korea’s state-sponsored hacking groups have been accused of stealing the equivalent of billions of dollars from victims worldwide, which the North Korean regime then uses to fund its nuclear missile program.

The attempted supply-chain attack on JumpCloud follows a similar incident affecting the enterprise office phone company 3CX earlier this year — again allegedly perpetrated by a North Korean state-sponsored group searching for cryptocurrency.

Software providers have been on high alert for these supply-chain intrusions since the 2020 attack on SolarWinds, which led to data breaches at multiple organizations — including the U.S. government — after suspected Chinese hackers compromised a third-party system used by Microsoft customers.

“It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks,” warned SentinelOne. “The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions.”

North Korea has consistently denied involvement in cryptocurrency heists, despite evidence presented by both United Nations researchers and prosecutors in the United States.

In 2021, the U.S. unsealed an indictment charging three North Korean hackers — allegedly employed by Pyongyang's military intelligence services — with stealing and extorting more than $1.3 billion from financial institutions and cryptocurrency exchanges around the world.

The indictment contains detailed allegations about their involvement in multiple cyber activities, including the attack on Sony Pictures and the WannaCry ransomware incident.

At the time, the U.S. assistant attorney general John Demers said: “North Korea's operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world's leading 21st century nation-state robbers. Simply put, the regime has become a criminal syndicate with a flag, which harnesses its state resources to steal hundreds of millions of dollars.”

This May, the U.S. Treasury announced sanctions on four entities that employ thousands of North Korean IT workers who help illicitly finance the regime's missile and weapons of mass destruction programs.

The department said North Korea maintains legions of “highly skilled” IT workers around the globe, primarily in China and Russia, who “generate revenue that contributes to its unlawful WMD and ballistic missile programs.”