North Korean threat actors have been linked to a breach of enterprise software company JumpCloud. A recent report from Mandiant sheds light on the hacking unit operated by North Korea's Reconnaissance General Bureau (RGB), which primarily targets cryptocurrency companies in an effort to fund the country's sanctioned nuclear weapons program.
Researchers were able to attribute the breach to the RGB due to a significant operational security (OpSec) oversight on the part of the hackers, which has raised concerns about the evolving cyber offensive capabilities of state-sponsored threat actors.
Mandiant's investigation into the JumpCloud breach revealed a clear connection between the intrusion and UNC4899, a new and unclassified threat group operating under the RGB. The group is notorious for stealing passwords from executives and security teams of cryptocurrency companies in order to launch attacks and steal funds.
What sets this breach apart from others is the inadvertent exposure of the attackers' real-world IP addresses due to an OpSec mistake. UNC4899 had historically relied on commercial virtual private network (VPN) services to obscure their true locations. However, during the JumpCloud attack, the VPNs they employed failed to work effectively, leaving them vulnerable to discovery. Consequently, their access from Pyongyang was traced back to the breach, ultimately leading to their identification.
Corey O'Connor, Director of Products at DoControl, expressed concern over the increasing focus of state-sponsored threat actors on SaaS application and services providers:
"The JumpCloud breach is another justification to extend security beyond the identity layer. SaaS application and services providers are becoming a primary target for executing a supply chain-based attack. An organization's Identity layer serves as the new perimeter. Neglecting this reality, and choosing to not extend strong security controls further down the stack, will leave organizations vulnerable to these types of advanced nation-state attacks."
Mike Parkin, Senior Technical Engineer at Vulcan Cyber, highlighted Mandiant's thorough analysis and agreed with their attribution of the attack to UNC4899:
"Mandiant's analysis of this attack was deep and, without additional forensic data, it's hard to find fault with their conclusions. This is an excellent example of the convergence between state-sponsored threats and cybercriminal activity, where the line between financial and intelligence motivations are fuzzy at best. Assuming attribution to the DPRK is correct, it reinforces the image that in the context of cybercrime they have little interest in being part of the solution."
The group's primary objective remains to steal cryptocurrency, which has been demonstrated in multiple supply chain attacks and the deployment of custom malware on macOS systems.
The group's motivation to fund North Korea's nuclear ambitions through cryptocurrency theft has driven them to adopt sophisticated techniques while leaving occasional vulnerabilities, as witnessed in the JumpCloud breach.
The accidental exposure of the hackers' IP addresses serves as a poignant reminder that even advanced threat actors are not invincible, and a momentary OpSec slip up can lead to their identification.
Follow SecureWorld News for more stories related to cybersecurity.
