OpSec slip-up reveals the threat actor behind JumpCloud hack

An OpSec slip-up revealed the actual IP address of the threat actors behind the JumpCloud hack, according to a report by Madiant.

The cybersecurity firm attributed the intrusions to UNC4899, a North Korean threat actor, with a history of targeting companies within the cryptocurrency vertical. "Mandiant assesses with high confidence that UNC4899 is a cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau (RGB)," Madiant said in the report.

JumpCloud provides its cloud directory platform to more than 180,000 organizations across 160 countries.

The researchers also uncovered additional infrastructure as a PTR record was never changed from a previous operation. Mandiant has previously identified the domain wasxxv[.]site being used by North Korean threat actors. 

Exposed IP address

North Korea's RGB units utilize a series of Operational Relay Boxes (ORBs) with commercial VPN providers to obscure their source addresses. These relays seem to be shared among units under the RGB umbrella, according to Mandiant. 

UNC4899 utilized various VPN providers as a final hop in their attack, the most common being ExpressVPN, but connections to NordVPN, TorGuard, and many other providers have also been observed. 

However, according to Mandiant, there have been many occasions on which DPRK threat actors did not employ this last hop or mistakenly did not utilize this while conducting action on operations on the victim's network.

The VPNs used by RGB actors occasionally fail, which revealed the IP addresses of the threat actor's true origins. 

"Mandiant observed the DPRK threat actor UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]0/24 subnet. (Ryugyong Dong, Pyongyang). Additionally, we observed the DPRK threat actor log directly into a Pyongyang IP, from one of their jump boxes," Mandiant said. This confirmed the location of the attacker behind the hack. 

JumpCloud hack

In an incident report last week, JumpCloud said fewer than five of its corporate customers and less than 10 devices were targeted. The company reset its customer API keys after reporting an intrusion in June. 

"On June 27 at 15:13 UTC we discovered anomalous activity on an internal orchestration system which we traced back to a sophisticated spear phishing campaign perpetrated by the threat actor on June 22," the software company said.

Analysis by the company showed that the attack vector had injected malicious data into the company’s commands framework and confirmed suspicions that the attack was extremely targeted and limited to specific customers. The attack vector used by the threat actor has since been mitigated.

North Korea continues to target cryptocurrency firms

The UNC4899 targeting overlaps with a separate RGB-aligned group, APT43, who in July displayed interest in the cryptocurrency vertical, specifically targeting a variety of C-suite executives from multiple fintech and cryptocurrency companies in the US, South Korea, Hong Kong, and Singapore, according to Mandiant.

Many of the individuals work at organizations related to financial services, cryptocurrency, blockchain, web3, and related entities.

"The overlaps in targeting and sharing of infrastructure amongst DPRK groups highlights the continued targeting and coordinated interest in the cryptocurrency field," Mandiant said. RGB-aligned crypto-focused groups, publicly reported under the umbrella term Lazarus, and clear variants of historic, established APT threat actors such as the open source "TraderTraitor" and "AppleJeus" have increasingly conducted financially motivated operations that have affected the cryptocurrency industry and various blockchain platforms, according to Mandiant.