North Korean hackers target crypto clients in US breach

Washington — A North Korean government-backed hacking group penetrated an American IT management company and used it as a springboard to target cryptocurrency companies, according to two sources familiar with the matter.

The hackers broke into Louisville, Colorado-based JumpCloud in late June and used their access to the company’s systems to target its cryptocurrency company clients in an effort to steal digital cash, the sources said.

The hack shows how North Korean cyber spies, once content with going after crypto companies one at a time, are now tackling companies that can give them access to multiple sources of bitcoin and other digital currencies.

JumpCloud, which acknowledged the hack in a blog post last week and blamed it on a “sophisticated nation-state sponsored threat actor”, did not respond to questions about who was behind the hack and which clients were affected.

A JumpCloud spokesperson said fewer than five customers had been affected. Reuters could not ascertain whether any digital currency was ultimately stolen as a result of the hack.

Cybersecurity firm CrowdStrike Holdings, which is working with JumpCloud to investigate the breach, confirmed that “Labyrinth Chollima” — the name it gives to a particular squad of North Korean hackers — was behind the breach.

CrowdStrike senior vice-president for intelligence Adam Meyers declined to comment on what the hackers were seeking, but noted that they had a history of targeting cryptocurrency targets.

“One of their primary objectives has been generating revenue for the regime,” he said.

Pyongyang’s mission to the UN in New York did not immediately respond to a request for comment. North Korea has previously denied organising digital currency heists, despite voluminous evidence — including UN reports — to the contrary.

Independent research backed CrowdStrike’s allegation.

Elaborate hacks

Cybersecurity researcher Tom Hegel, who was not involved in the investigation, said the JumpCloud intrusion was the latest of several recent breaches that showed how the North Koreans have become adept at “supply chain attacks”, or elaborate hacks that work by compromising software or service providers to steal data — or money — from users downstream.

“North Korea in my opinion is really stepping up their game,” said Hegel, who works for US firm SentinelOne.

In a blog post to be published on Thursday, Hegel said the digital indicators published by JumpCloud tied the hackers to activity previously attributed to North Korea.

The US cyber watchdog agency CISA and the FBI declined to comment.

The hack on JumpCloud — the products of which are used to help network administrators manage devices and servers — first surfaced publicly earlier this month when the firm emailed customers to say their credentials would be changed “out of an abundance of caution relating to an ongoing incident”.

In the blog post that acknowledged that the incident was a hack, JumpCloud traced the intrusion back to June 27. The cybersecurity-focused podcast Risky Business earlier this week cited two sources as saying that North Korea was a suspect in the intrusion.

Labyrinth Chollima is one of North Korea’s most prolific hacking groups and is said to be responsible for some of the isolated country’s most daring and disruptive cyber intrusions. Its theft of cryptocurrency has led to the loss of eye-watering sums: Blockchain analytics firm Chainalysis said in 2022 that North Korean-linked groups stole an estimated $1.7bn worth of digital cash across multiple hacks.

CrowdStrike’s Meyers said Pyongyang’s hacking squads should not be underestimated.

“I don’t think this is the last we’ll see of North Korean supply chain attacks this year,” he said.

Reuters