Cybersecurity experts have determined North Korean hackers are to blame for a recent cyber assault at corporate software provider JumpCloud.
Hackers from North Korea's Reconnaissance General Bureau (RGB), a renowned hacking group known for attacking cryptocurrency businesses and collecting credentials from CEOs and security staff, were blamed for the incident. Due to an error, the fraudsters accidentally disclosed their IP addresses, resulting in their exposure.
How Did North Korean Hackers Got Busted
One of JumpCloud's impacted clients received aid from cybersecurity specialist Mandiant, who recognized the hackers as members of the UNC4899 threat group, a brand-new, unclassified organization, according to TechCrunch. The hackers frequently used paid VPN services to mask their IP addresses, but when those services broke down or were not used, they unintentionally revealed their connection from Pyongyang.
According to Mandiant's analysis, this disclosure of the JumpCloud hackers was an "OPSEC slip-up," a term for operational security lapses that may unintentionally disclose a hacker's behavior. The investigation also revealed additional, previously connected to earlier North Korean hackers, infrastructure utilized in the attack.
Charles Carmaka, chief technology officer of Mandiant, stressed that cyber threat actors with a North Korean connection are advancing their capacity to steal Bitcoin. They have been involved in a number of operations over the last year, such as supply chain hacks, tainted software releases, and the introduction of unique malware into MacOS computers.
Read Also: China Appeals to Japan: Avoid Disrupting Semiconductor Industry Amid Export Limits
Carmakal emphasized that while the hackers are skilled at using cryptocurrencies to compromise firms, their errors have let researchers link them to several breaches.
SentinelOne and CrowdStrike, two cybersecurity companies, corroborated the JumpCloud hack, adding to the body of evidence supporting North Korean participation. The Lazarus group, another catch-all name for North Korean cyber operations, has shown improved alignment and coordination in aiming its attacks at different industries, as per a Cyberscoop report.
JumpCloud Releases Statement
JumpCloud's breach became known when the firm advised clients to change their login passwords as a precaution due to the continuing situation. Later, it was discovered that the intrusion took place on June 27.
One of North Korea's most active hacker gangs, Labyrinth Chollima, is known for its audacious and disruptive online breaches, which result in considerable losses from bitcoin theft.
JumpCloud said last week that the North Korean hacking effort impacted less than 10 devices and less than five of its business clients. JumpCloud quickly responded to the incident discovered in June by resetting its client API credentials.
JumpCloud has over 200,000 business clients, including well-known brands like Foursquare, ClassPass, and GoFundMe.
When contacted for comment on the incident, the Pyongyang delegation to the UN in New York remained silent, according to Reuters. Despite a wealth of evidence, including UN reports, pointing to North Korea's participation in digital currency heists, the socialist country has previously vehemently denied any connection to such crimes.
Related Article: Wrapped Bitcoin's (WBTC) Influence on Crypto Wallets
