Technology

North Korean Hackers Are Targeting Your Cryptocurrency


In a recent cybersecurity breach, North Korea-backed hackers targeted cryptocurrency clients by infiltrating the systems of JumpCloud, a prominent U.S. enterprise software company. The breach, attributed to a sub-group of the notorious Lazarus hacking group called Labyrinth Chollima, highlights the persistent threat posed by state-sponsored cyber attacks. This article explores the details of the breach, the motivations behind North Korea’s hacking activities, and the implications for the cryptocurrency industry.

JumpCloud, a directory platform that provides authentication, authorization, and user/device management solutions for enterprises, confirmed that it experienced a breach in June. The company detected the intrusion and promptly initiated its incident response plan to mitigate the threat, secure its network, communicate with customers, and engage law enforcement. Although JumpCloud did not explicitly identify the nation behind the attack, cybersecurity researchers from Crowdstrike and SentinelOne have attributed it to North Korea-backed hackers.

Lazarus, the hacking group believed to be responsible for the JumpCloud breach, has a long history of targeting the cryptocurrency sector. This state-sponsored group has been actively tracked by cybersecurity companies since 2009 and is known for its association with North Korea’s sanctioned nuclear weapons program. Lazarus has previously targeted prominent crypto entities such as the Ronin Network and Harmony’s Horizon Bridge.

Both Crowdstrike and SentinelOne researchers have independently linked the JumpCloud breach to Lazarus. Adam Meyers, the Senior Vice President for Intelligence at Crowdstrike, stated that the group responsible for the attack is one of the most prolific adversaries associated with North Korea. Similarly, Tom Hegel, a researcher from SentinelOne, confirmed that indicators of compromise (IOCs) shared by JumpCloud are linked to a range of activities attributed to the Democratic People’s Republic of Korea (DPRK), commonly known as North Korea.

In addition to the JumpCloud breach, North Korean hackers may also be behind a recent social engineering campaign targeting GitHub customers. GitHub, a popular platform for software development collaboration, revealed that the campaign aimed at the personal accounts of employees from technology firms associated with the blockchain, cryptocurrency, and online gambling sectors. The attack was attributed to a group operating in support of North Korean objectives, commonly tracked as TraderTraitor by the Cybersecurity and Infrastructure Security Agency (CISA).

North Korea has a history of utilizing crypto-stealing operations to finance its sanctioned nuclear weapons program. The country’s army of illicit IT workers fraudulently gain employment worldwide, generating funds to support the regime’s weapons of mass destruction programs. To counter these activities, the U.S. government has imposed sanctions on North Korea’s illicit IT workforce and is offering rewards for information that can disrupt North Korean hackers.

The JumpCloud breach impacted a small and specific set of customers, given that the company’s software is used by over 180,000 organizations and boasts more than 5,000 paying customers. While the exact details of the breach’s impact on these customers remain undisclosed, JumpCloud responded swiftly to the incident, resetting affected customers’ API keys and implementing necessary measures to secure their network and perimeter.

The targeted attacks on cryptocurrency-related entities highlight the vulnerabilities within the industry. As cryptocurrencies continue to gain popularity and value, they become attractive targets for state-sponsored hacking groups seeking financial gain or funding for illicit activities. The industry must remain vigilant and implement robust security measures to safeguard digital assets and protect users’ sensitive information.

The JumpCloud breach serves as a reminder that all organizations, regardless of their size or industry, must prioritize cybersecurity. State-sponsored hacking groups, like Lazarus, possess advanced capabilities and constantly evolve their attack techniques. It is crucial for enterprises to invest in comprehensive cybersecurity measures, including employee training, threat intelligence, vulnerability assessments, and incident response plans.

In summary, the North Korea-backed hacking incident targeting JumpCloud and subsequent attacks on cryptocurrency-related entities demonstrate the ongoing threat posed by state-sponsored cybercriminals. Lazarus, a well-known hacking group associated with North Korea, has a history of targeting the cryptocurrency sector to finance the country’s nuclear weapons program. The cryptocurrency industry must remain vigilant and adopt robust security measures to mitigate the risk of such attacks. Furthermore, all organizations should prioritize cybersecurity to protect their assets and sensitive information from state-sponsored hacking groups.

First reported on Reuters

Frequently Asked Questions

Q. What is the recent cybersecurity breach involving JumpCloud?

In a recent cybersecurity breach, North Korea-backed hackers targeted JumpCloud, a prominent U.S. enterprise software company. JumpCloud provides authentication, authorization, and user/device management solutions for enterprises. The breach involved infiltrating JumpCloud’s systems and was attributed to a sub-group of the Lazarus hacking group known as Labyrinth Chollima.

Q. What is Lazarus, and what is its history with cryptocurrency-related attacks?

Lazarus is a hacking group associated with North Korea that has been actively tracked by cybersecurity companies since 2009. The group is notorious for its association with North Korea’s sanctioned nuclear weapons program. Lazarus has a history of targeting the cryptocurrency sector to finance illicit activities and has been linked to previous attacks on crypto entities such as the Ronin Network and Harmony’s Horizon Bridge.

Q. How did researchers link the JumpCloud breach to North Korea-backed hackers?

Researchers from Crowdstrike and SentinelOne independently linked the JumpCloud breach to Lazarus, a North Korea-backed hacking group. Adam Meyers from Crowdstrike stated that the group responsible for the attack is one of the most prolific adversaries associated with North Korea. Tom Hegel from SentinelOne confirmed that indicators of compromise (IOCs) shared by JumpCloud are linked to a range of activities attributed to North Korea.

Q. What is the motivation behind North Korea’s hacking activities in the cryptocurrency sector?

North Korea has utilized crypto-stealing operations to finance its sanctioned nuclear weapons program. The country’s illicit IT workers fraudulently gain employment worldwide to generate funds for supporting the regime’s weapons of mass destruction programs. The cryptocurrency industry’s growing popularity and value make it an attractive target for state-sponsored hacking groups seeking financial gain or funding for illicit activities.

Q. How did the JumpCloud breach impact its customers?

While specific details of the breach’s impact on JumpCloud customers remain undisclosed, the company responded swiftly by resetting affected customers’ API keys and implementing necessary measures to secure their network and perimeter. The breach reportedly affected a small and specific set of customers, considering that JumpCloud’s software is used by over 180,000 organizations and has more than 5,000 paying customers.

Q. What can the cryptocurrency industry do to protect against such attacks?

The cryptocurrency industry must remain vigilant and implement robust security measures to safeguard digital assets and protect users’ sensitive information. This includes investing in comprehensive cybersecurity measures, such as employee training, threat intelligence, vulnerability assessments, and incident response plans.

Q. How can organizations protect themselves from state-sponsored hacking groups like Lazarus?

All organizations, regardless of size or industry, must prioritize cybersecurity to protect their assets and sensitive information from state-sponsored hacking groups. This includes adopting robust security measures, investing in employee training, and staying updated on the latest cybersecurity threats and attack techniques.

Q. What are the broader implications of state-sponsored cyber attacks like the one on JumpCloud?

State-sponsored cyber attacks pose a persistent threat to various industries and organizations worldwide. The JumpCloud incident highlights the need for enterprises to take proactive measures to protect against such attacks. It also underscores the importance of collaboration between the private sector and governments in countering state-sponsored cyber threats.

Featured Image Credit: Unsplash

John Boitnott

John Boitnott is a news anchor at ReadWrite. Boitnott has worked at TV News Anchor, print, radio and Internet companies for 25 years. He’s an advisor at StartupGrind and has written for BusinessInsider, Fortune, NBC, Fast Company, Inc., Entrepreneur and Venturebeat. You can see his latest work on his blog, John Boitnott