Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Washington — A North Korean government-backed hacking group penetrated an American IT management company and used it as a springboard to target cryptocurrency companies, according to two sources familiar with the matter.
The hackers broke into Louisville, Colorado-based JumpCloud in late June and used their access to the company’s systems to target its cryptocurrency company clients in an effort to steal digital cash, the sources said.
The hack shows how North Korean cyber spies, once content with going after crypto companies one at a time, are now tackling companies that can give them access to multiple sources of bitcoin and other digital currencies.
JumpCloud, which acknowledged the hack in a blog post last week and blamed it on a “sophisticated nation-state sponsored threat actor”, did not respond to questions about who was behind the hack and which clients were affected.
A JumpCloud spokesperson said fewer than five customers had been affected. Reuters could not ascertain whether any digital currency was ultimately stolen as a result of the hack.
Cybersecurity firm CrowdStrike Holdings, which is working with JumpCloud to investigate the breach, confirmed that “Labyrinth Chollima” — the name it gives to a particular squad of North Korean hackers — was behind the breach.
CrowdStrike senior vice-president for intelligence Adam Meyers declined to comment on what the hackers were seeking, but noted that they had a history of targeting cryptocurrency targets.
“One of their primary objectives has been generating revenue for the regime,” he said.
Pyongyang’s mission to the UN in New York did not immediately respond to a request for comment. North Korea has previously denied organising digital currency heists, despite voluminous evidence — including UN reports — to the contrary.
Independent research backed CrowdStrike’s allegation.
Elaborate hacks
Cybersecurity researcher Tom Hegel, who was not involved in the investigation, said the JumpCloud intrusion was the latest of several recent breaches that showed how the North Koreans have become adept at “supply chain attacks”, or elaborate hacks that work by compromising software or service providers to steal data — or money — from users downstream.
“North Korea in my opinion is really stepping up their game,” said Hegel, who works for US firm SentinelOne.
In a blog post to be published on Thursday, Hegel said the digital indicators published by JumpCloud tied the hackers to activity previously attributed to North Korea.
The US cyber watchdog agency CISA and the FBI declined to comment.
The hack on JumpCloud — the products of which are used to help network administrators manage devices and servers — first surfaced publicly earlier this month when the firm emailed customers to say their credentials would be changed “out of an abundance of caution relating to an ongoing incident”.
In the blog post that acknowledged that the incident was a hack, JumpCloud traced the intrusion back to June 27. The cybersecurity-focused podcast Risky Business earlier this week cited two sources as saying that North Korea was a suspect in the intrusion.
Labyrinth Chollima is one of North Korea’s most prolific hacking groups and is said to be responsible for some of the isolated country’s most daring and disruptive cyber intrusions. Its theft of cryptocurrency has led to the loss of eye-watering sums: Blockchain analytics firm Chainalysis said in 2022 that North Korean-linked groups stole an estimated $1.7bn worth of digital cash across multiple hacks.
CrowdStrike’s Meyers said Pyongyang’s hacking squads should not be underestimated.
“I don’t think this is the last we’ll see of North Korean supply chain attacks this year,” he said.
Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
North Korean hackers target crypto clients in US breach
Cybersecurity firm blames ‘sophisticated nation-state sponsored’ Labyrinth Chollima for attempted heist
Washington — A North Korean government-backed hacking group penetrated an American IT management company and used it as a springboard to target cryptocurrency companies, according to two sources familiar with the matter.
The hackers broke into Louisville, Colorado-based JumpCloud in late June and used their access to the company’s systems to target its cryptocurrency company clients in an effort to steal digital cash, the sources said.
The hack shows how North Korean cyber spies, once content with going after crypto companies one at a time, are now tackling companies that can give them access to multiple sources of bitcoin and other digital currencies.
JumpCloud, which acknowledged the hack in a blog post last week and blamed it on a “sophisticated nation-state sponsored threat actor”, did not respond to questions about who was behind the hack and which clients were affected.
A JumpCloud spokesperson said fewer than five customers had been affected. Reuters could not ascertain whether any digital currency was ultimately stolen as a result of the hack.
Cybersecurity firm CrowdStrike Holdings, which is working with JumpCloud to investigate the breach, confirmed that “Labyrinth Chollima” — the name it gives to a particular squad of North Korean hackers — was behind the breach.
CrowdStrike senior vice-president for intelligence Adam Meyers declined to comment on what the hackers were seeking, but noted that they had a history of targeting cryptocurrency targets.
“One of their primary objectives has been generating revenue for the regime,” he said.
Pyongyang’s mission to the UN in New York did not immediately respond to a request for comment. North Korea has previously denied organising digital currency heists, despite voluminous evidence — including UN reports — to the contrary.
Independent research backed CrowdStrike’s allegation.
Elaborate hacks
Cybersecurity researcher Tom Hegel, who was not involved in the investigation, said the JumpCloud intrusion was the latest of several recent breaches that showed how the North Koreans have become adept at “supply chain attacks”, or elaborate hacks that work by compromising software or service providers to steal data — or money — from users downstream.
“North Korea in my opinion is really stepping up their game,” said Hegel, who works for US firm SentinelOne.
In a blog post to be published on Thursday, Hegel said the digital indicators published by JumpCloud tied the hackers to activity previously attributed to North Korea.
The US cyber watchdog agency CISA and the FBI declined to comment.
The hack on JumpCloud — the products of which are used to help network administrators manage devices and servers — first surfaced publicly earlier this month when the firm emailed customers to say their credentials would be changed “out of an abundance of caution relating to an ongoing incident”.
In the blog post that acknowledged that the incident was a hack, JumpCloud traced the intrusion back to June 27. The cybersecurity-focused podcast Risky Business earlier this week cited two sources as saying that North Korea was a suspect in the intrusion.
Labyrinth Chollima is one of North Korea’s most prolific hacking groups and is said to be responsible for some of the isolated country’s most daring and disruptive cyber intrusions. Its theft of cryptocurrency has led to the loss of eye-watering sums: Blockchain analytics firm Chainalysis said in 2022 that North Korean-linked groups stole an estimated $1.7bn worth of digital cash across multiple hacks.
CrowdStrike’s Meyers said Pyongyang’s hacking squads should not be underestimated.
“I don’t think this is the last we’ll see of North Korean supply chain attacks this year,” he said.
Reuters
Justice department slapped with R5m fine over tardiness in fixing IT breaches
Clicks limits access to customers’ personal data after cyberattack
41,000 Nedbank clients’ cellphone numbers retrieved in cyberattack
Organisations with mature cyber security cultures sleep better
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.
Most Read
Related Articles
SA needs a cyber commissioner, says DA
US says Chinese hackers breach state department’s email accounts
Russian hackers target diplomats with fake car ad
France to assist SIU with cybercrime capabilities
Published by Arena Holdings and distributed with the Financial Mail on the last Thursday of every month except December and January.