[1/2]A thumbnail of people holding computers in front of a North Korean flag in this illustration taken July 19, 2023. REUTERS/Dado Ruvić/Illustration
WASHINGTON, July 20 (Reuters) – A North Korean government-backed hacking group has breached a US information technology management company and used it as a springboard to target an unknown number of cryptocurrency companies, according to two people familiar with the matter.
The sources said hackers broke into Louisville, Colorado-based JumpCloud in late June and used their access to the company’s systems to target the cryptocurrency company’s customers in an attempt to steal digital cash.
The hack shows how North Korean cyber spies, once convinced to hunt down crypto companies one by one, are now taking on companies that can give them access to multiple sources of bitcoin and other digital currencies.
JumpCloud, which acknowledged the hack in a blog post last week and blamed it on “a sophisticated threat actor sponsored by a nation-state,” did not answer Reuters’ questions about who was behind the hack specifically and which customers were affected. Reuters was unable to confirm whether any cryptocurrency was eventually stolen as a result of the hack.
The cybersecurity firm CrowdStrike Holdings (CRWD.O) working with JumpCloud to investigate the hack confirmed that “Labyrinth Chollima” – the name given to a certain squad of North Korean hackers – was behind the hack.
Adam Myers, CrowdStrike’s senior vice president of intelligence, declined to comment on what the hackers were after, but noted that they have a history of targeting cryptocurrency targets.
“One of their primary goals is to generate revenue for the system,” he said.
Pyongyang’s mission to the United Nations in New York did not immediately respond to a request for comment. North Korea has previously denied organizing cryptocurrency theft, despite massive evidence — including UN reports — to the contrary.
Independent research supported the CrowdStrike claim.
Cybersecurity researcher Tom Heigl, who was not involved in the investigation, told Reuters that the JumpCloud breach was the latest of many recent breaches that show how the North Koreans have become adept at “supply chain attacks,” or elaborate hacks that work by compromising software or service providers in order to steal data — or money — from users.
“In my opinion, North Korea is stepping up its game,” said Hegel, who works for the US company SentinelOne. (SN)
In a blog post to be published Thursday, Hegel said that digital indicators published by JumpCloud linked the hackers to activity previously attributed to North Korea.
CISA and the FBI declined to comment.
The hack on JumpCloud — whose products are used to help network administrators manage devices and servers — first became public earlier this month when the company emailed customers to say their credentials would change “out of an abundance of caution regarding an ongoing incident.”
In a blog post acknowledging the incident was a hack, JumpCloud traced the hack back to June 27. The risky podcast focused on cybersecurity earlier this week quoted two sources as saying that North Korea was a suspect in the break-in.
Labyrinth Chollima is one of North Korea’s most prolific hacking groups and is said to be responsible for some of the most daring and disruptive cyber hacks in the isolated country. Its theft of cryptocurrency has resulted in the loss of staggering sums: Blockchain analytics firm Chainalysis said last year that North Korea-linked groups stole an estimated $1.7 billion in digital cash via multiple hacks.
CrowdStrike’s Myers said Pyongyang’s hacking teams should not be underestimated.
“I don’t think this is the last thing we will see in North Korean supply chain attacks this year,” he said.
(Reporting by Christopher Bing and Raphael Sater in Washington); Additional reporting by James Pearson in London and Michelle Nichols in New York. Editing by Anna Driver
Our Standards: The Thomson Reuters Trust Principles.
[ad_2]