North Korean cyber spies have made a daring move by infiltrating an American IT management company and using it as a launching pad to attack cryptocurrency companies, according to reliable sources familiar with the incident.
North Korean Hackers Breach US Crypto Firm
The hack, which occurred in late June, targeted JumpCloud, a company based in Louisville, Colorado. Once inside JumpCloud’s systems, the hackers set their sights on the firm’s cryptocurrency clients, with the intention of pilfering digital cash.
This incident highlights a shift in North Korean cyber espionage tactics, as they now target companies that can provide access to multiple sources of bitcoin and other digital currencies, rather than focusing on individual crypto firms.
JumpCloud, in a recent blog post, acknowledged the hack and attributed it to a “sophisticated nation-state sponsored threat actor.” However, they did not disclose the identity of the perpetrators or provide details on the affected clients. A spokesperson for JumpCloud stated that fewer than five customers were impacted. As of now, it remains unclear whether any digital currency was successfully stolen during the attack.
Cybersecurity firm CrowdStrike Holdings, which is collaborating with JumpCloud to investigate the breach, has confirmed that the hack was the work of a specific group of North Korean hackers known as “Labyrinth Chollima.” CrowdStrike’s Senior Vice President for Intelligence, Adam Meyers, noted that this group has a history of targeting cryptocurrency-related entities, primarily aiming to generate revenue for the North Korean regime.
Despite abundant evidence, including reports from the United Nations, Pyongyang’s mission to the UN in New York has not responded to inquiries about the incident and continues to deny involvement in digital currency heists.
Independent research corroborates CrowdStrike‘s accusation, with cybersecurity researcher Tom Hegel stating that the JumpCloud breach is just one in a series of recent attacks showing North Korea’s proficiency in “supply chain attacks.” These sophisticated hacks compromise software or service providers to gain access to downstream users’ data or funds.
In a forthcoming blog post, Hegel will present digital indicators linking the hackers to North Korean activity previously identified in other incidents.
While CISA (the U.S. cyber watchdog agency) and the FBI have not commented on the situation, CrowdStrike’s Meyers warns that North Korean supply chain attacks are likely to continue in the future, urging caution and vigilance among companies and organizations.
JumpCloud’s products are essential for network administrators to manage devices and servers, making it a tempting target for hackers seeking to exploit vulnerabilities in the supply chain.
Labyrinth Chollima, recognized as one of North Korea’s most active hacking groups, has carried out numerous bold and disruptive cyber intrusions. Their focus on cryptocurrency theft has led to the loss of staggering amounts, with an estimated $1.7 billion worth of digital cash stolen across multiple hacks, as reported by blockchain analytics firm Chainalysis.
Meyers emphasizes that underestimating North Korea’s hacking capabilities would be a mistake, predicting the likelihood of further supply chain attacks orchestrated by Pyongyang’s hacking squads in the coming months. Companies dealing with cryptocurrencies and other sensitive data should remain on high alert to safeguard against potential cyber threats.