North Korean hackers breached a US tech company to steal crypto

WASHINGTON, July 20 (Reuters) – A North Korean government-backed hacking group penetrated an American IT management company and used it as a springboard to target cryptocurrency companies, the firm and cybersecurity experts said on Thursday.

The hackers broke into Louisville, Colorado-based JumpCloud in late June and used their access to the company’s systems to target “fewer than 5” of its clients, it said in a blog post.

JumpCloud did not identify the customers affected, but cybersecurity firms CrowdStrike Holdings (CRWD.O) – which is assisting JumpCloud – and Alphabet-owned Mandiant (GOOGL.O) – which is assisting one of JumpCloud’s clients – both said the hackers involved were known to focus on cryptocurrency theft.

Two people familiar with the matter confirmed that the JumpCloud clients were targeted by the hackers who were cryptocurrency companies.

The hack shows how North Korean cyber spies, once content with going after digital currency firms piecemeal, are now tackling companies that can give them broader access to multiple victims downstream – a tactic known as a “supply chain attack.”

“North Korea in my opinion is really stepping up their game,” said Tom Hegel, who works for US firm SentinelOne (SN) and independently confirmed Mandiant and CrowdStrike’s attribution.

Pyongyang’s mission to the United Nations in New York did not respond to a request for comment. North Korea has previously denied organizing digital currency heists, despite voluminous evidence – including UN reports – to the contrary.

CrowdStrike identified the hackers as “Labyrinth Chollima” – one of several groups alleged to operate on North Korea’s behalf. Mandiant said the hackers responsible worked for North Korea’s Reconnaissance General Bureau (RGB), its primary foreign intelligence agency.

The US cyber watchdog agency CISA and the FBI declined to comment.

The hack on JumpCloud – whose products are used to help network administrators manage devices and servers – first surfaced publicly earlier this month when the firm emailed customers to say their credentials would be changed “out of an abundance of caution relating to an ongoing incident.”

In an earlier version of the blog post that acknowledged that the incident was a hack, JumpCloud traced the intrusion back to June 27. The cybersecurity-focused podcast Risky Business earlier this week cited two sources as saying that North Korea was a suspect in the intrusion.

Labyrinth Chollima is one of North Korea’s most prolific hacking groups and is said to be responsible for some of the isolated country’s most online and disruptive cyber intrusions. Its theft of cryptocurrency has led to the loss of eye-watering sums: Blockchain analytics firm Chainalysis said last year that North Korean-linked groups stole an estimated $1.7 billion worth of digital cash across multiple hacks.

CrowdStrike Senior Vice President for Intelligence Adam Meyers said Pyongyang’s hacking squads should not be underestimated.

“I don’t think this is the last we’ll see of North Korean supply chain attacks this year,” he said.

Reporting by Christopher Bing and Raphael Satter in Washington; Additional reporting by James Pearson in London and Michelle Nichols in New York; Editing by Anna Driver, Bernadette Baum, Conor Humphries and Marguerita Choy

Our Standards: The Thomson Reuters Trust Principles.

Award-winning reporter covering the intersection between technology and national security with a focus on how the evolving cybersecurity landscape affects government and business.

Reporter covering cybersecurity, surveillance, and disinformation for Reuters. Work has included investigations into state-sponsored espionage, deepfake-driven propaganda, and mercenary hacking.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *