A security breach at U.S. I.T. management company JumpCloud has been linked to a North Korean-backed hacking group on Thursday, according to a security update on JumpCloud’s blog.
The breach, which JumpCloud believes occurred on June 22, was described as being specifically targeted. The company said less than five of their customers were impacted by the breach.
Cybersecurity company CrowdStrike identified the hackers as Labyrinth Chollima, a subgroup of the Lazarus hacking group. People familiar with the situation told Reuters the companies who were targeted were all cryptocurrency companies.
The FBI has identified Lazarus as a state-sponsored organization. The JumpCloud attack isn’t the first time the group has been involved in the theft of cryptocurrency, with the most recently known large-scale incident being the Horizon Bridge attack in June 2022.
While the Democratic People's Republic of Korea has denied allegations of organizing these digital thefts despite significant evidence of their involvement. A 2022 United Nations report obtained by Reuters claimed the country had set a record for cybertheft last year.
While tracking the exact value of the assets stolen is difficult due to the volatile nature of crypto currency, the U.N. estimated roughly $1.7 billion in assets had been stolen. An independent report from U.S. blockchain analytics firm Chainalysis also reached the same estimate with thefts connected to North Korea accounting for almost half of the $3.8 billion in cryptocurrency theft in 2022.
This number is a substantial increase from previous estimates, as in 2021 the country was believed to be linked to over $400 million in asset theft and their previously believed record being over $500 million in 2018, less than a third of the 2022 estimate. In 2019, U.S. sanction monitors believed the country had raked in nearly $2 billion through the use of cyberattacks in order to fund the country's nuclear weapons program.
The massive increase in theft-generated revenue over the last year can likely be traced to the groups’ use of a tactic called a “supply chain attack,” which targets companies like JumpCloud with access to a larger group of potential victims. In the past, hacking groups were more comfortable attacking individual companies- often through extortion via ransomware and phishing operations.
Lazarus, as well as hacker groups Kimsuky and Andariel, are just some of those believed to be under the control of North Korea’s primary intelligence bureau: the Reconnaissance General Bureau. An asset freeze on the Lazarus Group was proposed in May 2022 but blocked by a veto from China and Russia.
Cyberattacks from North Korea are far from a new phenomenon with Lazurus being one of the most prolific groups, being in operations since at least 2009. Outside of crypto asset theft the group has also been involved in more general espionage, such as being responsible for the infamous Sony hackings in 2014.
Adam Meyers, the senior vice president for intelligence at CrowdStrike, said hacking groups from Pyongyang should not be underestimated and to expect further supply chain attacks before the end of the year.
Share This Post On
Leave a comment
You need to login to leave a comment. Log-in