North Korean hackers exploited shared cloud service to rob crypto firms
The affected crypto companies remain unidentified.
North Korean state hackers exploited a cloud services provider called JumpCloud to steal funds from crypto companies that use its services, Reuters reported on July 20.
Reuter’s confidential sources indicate that the North Korean state-backed hackers had a specific focus on cryptocurrency companies. However, the report did not disclose the names of the impacted companies or the exact quantity of cryptocurrency purportedly stolen.
Crowdstrike, a cybersecurity firm collaborating with JumpCloud to probe the incident, attributed the attack to a group known as Labyrinth Chollima. Although the representative from Crowdstrike did not confirm if any cryptocurrency was stolen, he noted the group’s history of targeting cryptocurrency companies.
In an update on July 20, JumpCloud announced North Korea as the perpetrator of the attack, It also disclosed that less than five of the company’s 200,000 corporate clients, and less than 10 devices, were affected.
Previously, the company described a spear-phishing campaign conducted by a “sophisticated nation-state sponsored threat actor.” The company said that the attack began on June 22 and said that it detected those activities on June 27.
JumpCloud said that it did not find any indication that customers were affected at that time. The company nevertheless updated credentials and took extra steps to preserve security; it also contacted law enforcement. However, on July 5, the company discovered additional activity that affected its customers, who were then informed of the situation.
JumpCloud says attackers are advanced
JumpCloud called the attackers “sophisticated and persistent adversaries with advanced capabilities” and said the best defense involves sharing information.
JumpCloud said that the attack vector involved data injection into its commands framework. The attack was found to be highly targeted and specific to certain customers. The attack produced a list of IOCs (Indicators of Compromise), which JumpCloud has shared.
North Korean attackers have been involved in other crypto attacks including those against Axie Infinity and Horizon Bridge. Estimates from Chainalysis suggest that North Korean groups stole $1.7 billion amidst $3.8 billion in broader crypto thefts in 2022.