North Korean State-Sponsored Hackers Suspected of Carrying Out the JumpCloud Supply Chain Attack

July 20, 2023thnCyber ​​Attack / Supply Chain

Compromise indicator analysis (IoC) related to the JumpCloud hack has uncovered evidence suggesting the involvement of a North Korean state-sponsored group, in a style reminiscent of the supply chain attack targeting 3CX.

The findings come from SentinelOne, which map intrusion-related infrastructure to uncover the underlying pattern. It should be noted that JumpCloud, last week, attributed the attack to an unnamed “sophisticated nation-state sponsored threat actor”.

“North Korean threat actors demonstrated a high degree of creativity and strategic awareness in their targeting strategy,” SentinelOne security researcher Tom Hegel told The Hacker News. “The research findings reveal the successful and multifaceted approaches used by these actors to infiltrate developer environments.”

“They are actively seeking access to tools and networks that can serve as gateways to broader opportunities. Their tendency to execute multiple levels of supply chain intrusions before engaging in financially motivated theft is noteworthy.”

In a related development, CrowdStrike, which worked with JumpCloud to investigate the incident, pinned the attack to a North Korean actor known as Labyrinth Chollima, a sub cluster within the infamous Lazarus Group, according to Reuters.

The infiltration was used as a “springboard” to target cryptocurrency companies, the news agency said, pointing to attempts by adversaries to generate illegal revenue for the sanctioned country.

The disclosure also coincided with a low-volume social engineering campaign identified by GitHub targeting the personal accounts of technology company employees, using a mix of malicious repository invites and npm package dependencies. The targeted accounts are associated with the blockchain, cryptocurrency, online gambling or cybersecurity sector.

A Microsoft subsidiary linked the campaign to a North Korean hacking group it tracks under the name Jade Sleet (aka TraderTraitor).

“Jade Sleet mostly targets cryptocurrency-related users and other blockchain-related organizations, but also targets vendors used by those companies,” Alexis Wales of GitHub said in a report published on July 18, 2023.

The chain of attacks involves setting up fake personas on GitHub and other social media services such as LinkedIn, Slack, and Telegram, although in some cases it is believed the attackers have taken control of legitimate accounts.

Under the assumed persona, Jade Sleet initiates contact with targets and invites them to collaborate on a GitHub repository, convincing victims to clone and run the content, which displays decoy software with malicious npm dependencies that act as first-stage malware to download and execute second-stage payloads on infected machines.

The malicious npm package, per GitHub, is part of a campaign that was first exposed last month, when Phylum detailed a supply chain threat involving a unique execution chain that used a pair of deceptive modules to retrieve unknown malware from a remote server.

SentinelOne, in its latest analysis, says 144.217.92(.)197, an IP address associated with the JumpCloud attack, resolves to npmaudit(.) com, one of eight domains listed by GitHub that were used to fetch second-stage malware. The second IP address 23.29.115(.)171 maps to npm-pool(.)org.

“It is clear that North Korean threat actors are continuously adapting and exploring new methods to infiltrate targeted networks,” Hegel said. “JumpCloud’s intrusion serves as a clear illustration of their tendency towards supply chain targeting, which generates a lot of potential for ensuing disruptions.”

“The DPRK demonstrates a deep understanding of the benefits to be derived from careful selection of high-value targets as pivot points for executing supply chain attacks into beneficial networks,” added Hegel.