A North Korean state-backed hacker group attacked JumpCloud, a US software company, in an attempt to steal information about its cryptocurrency clients. JumpCloud first reported that a “nation-state actor” carried out a security breach in late June, and yesterday (July 20) the company confirmed North Korean actors were behind the attack.
The incident impacted fewer than 5 of its clients and fewer than 10 devices, JumpCloud said in a blog post. JumpCloud stated it has over 200,000 clients.
The company did not specify who the attacker was, but cybersecurity firms CrowdStrike and SentinelOne have independently identified North Korean cybercrime group Lazarus, infamous for the 2014 Sony hack, as the perpetrator. Alphabet subsidiary Mandiant also found the origin of the attack to be a North Korean actor.
CrowdStrike, which has been helping JumpCloud investigate the incident, said that a sub-group of Lazarus, called “Labyrinth Chollima” was directly responsible for the hack, Reuters reported. The group is “one of the most prolific” North Korean hacker groups, Crowdstrike says on its website. It was also responsible for an attack on 3CX, a phone software company, in April.
$630 million: The estimated, record-breaking value of digital assets North Korean-linked actors stole in 2022, according to UN experts
$1.7 billion: Another estimated value of digital assets North Korean-linked actors stole in 2022, according to blockchain analytics company Chainalysis
$625 million: Estimated value of cryptocurrency Lazarus stole from Ronin Network, a blockchain designed for the online game Axie Infinity, in April 2022, making it the largest-ever crypto theft at the time
$300,000+: Salary some North Korean IT workers may earn in a year, according to the US Department of the Treasury
The US approved sanctions in May targeting North Korea’s “highly skilled IT workers.” Mostly located in Russia and China, the criminal workforce numbers in the thousands, and helps funnel money into the country’s weapons programs, according to the US Treasury.
“These workers deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities, and falsified or forged documentation to apply for jobs,” the agency said in a May press release. “IT worker activity has included assisting DPRK officials in procuring WMD and ballistic missile-related items.”