North Korean state-sponsored hackers suspected to be behind JumpCloud supply chain attack

After an analysis of Indicators of Compromise (IoCs) associated with the JumpCloud hack, evidence has emerged suggesting the involvement of North Korean state-sponsored groups.

SentinelOne, which conducted the research, mapped out the infrastructure related to the intrusion. They uncovered patterns reminiscent of the supply chain attack targeting 3CX. However, JumpCloud attributed the attack to an unnamed "sophisticated nation-state sponsored threat actor."

According to SentinelOne's security researcher Tom Hegel, the North Korean threat actors exhibit high creativity and strategic awareness in their targeting strategies. They demonstrate a multifaceted approach to infiltrating developer environments, seeking access to tools and networks that can serve as gateways to more extensive opportunities. These actors often execute multiple supply chain intrusions before engaging in financially motivated theft.

CrowdStrike, working with JumpCloud to investigate the incident, attributed the attack to a North Korean actor, Labyrinth Chollima, a sub-cluster within the infamous Lazarus Group. The intrusion acted as a "springboard" to target cryptocurrency companies. This suggests an attempt to generate illegal revenues for the sanctions-hit nation.

Coinciding with these revelations, GitHub identified a low-volume social engineering campaign targeting the personal accounts of employees of technology firms. The campaign involves repository invitations and malicious npm package dependencies, primarily focusing on blockchain, cryptocurrency, online gambling, and cybersecurity sectors. GitHub linked this campaign to a North Korean hacking group called Jade Sleet (aka TraderTraitor).

Jade Sleet sets up bogus personas on GitHub and other social media services to contact targets and invite them to collaborate on a GitHub repository. Victims are convinced to clone and run the contents, which include decoy software with malicious npm dependencies serving as first-stage malware to download and execute second-stage payloads on the infected machine.

In SentinelOne's analysis, an IP address linked to the JumpCloud attack resolved to npmaudit[.]com, one of the domains listed by GitHub as used to fetch the second-stage malware. A second IP address was mapped to npm-pool[.]org.

The research highlights that North Korean threat actors continually adapt and explore novel methods to infiltrate targeted networks. The JumpCloud intrusion illustrates their inclination towards supply chain targeting, which opens the door to numerous potential subsequent intrusions.

The profound understanding of the benefits of meticulously selecting high-value targets as pivot points for conducting supply chain attacks is evident from North Korea's actions. As the threat landscape evolves, it becomes crucial for organisations and security experts to remain vigilant and stay ahead of these sophisticated cyber threats.