A cyberattack on cloud directory-as-a-service provider JumpCloud Inc. that first came to light earlier this month has been attributed to a North Korean hacking group.

According to a blog post from JumpCloud last week, the attack was first detected as “anomalous activity on an internal orchestration system,” which was traced back to a sophisticated spear-phishing campaign by a threat actor on June 22. A forensic investigation then led to the discovery of further unusual activity in the company’s network, resulting in JumpCloud resetting customers’ admin application programming interface keys.

In the post, JumpCloud attributed the attack to a “sophisticated nation-state sponsored threat actor” but didn’t name a country or suspected hacking group. Forward a week and CrowdStrike Holdings Inc., which worked with JumpCloud to investigate the breach, has attributed it to the North Korean hacking group “Labyrinth Chollima.”

Labyrinth Chollima, also known as threat actor UNC4736 and Apple Jesus, was linked to the hack of popular videoconferencing and business phone management application provider 3CX in March. The group has also been linked to the infamous North Korean hacking group Lazarus.

The links between the JumpCloud hack and North Korea have also been confirmed in analysis by security researchers at SentinelOne Inc. The SentinelLabs report suggests that the intrusion illustrates the propensity of North Korean threat actors to target supply chains, allowing them to launch multiple subsequent intrusions. The report also provides evidence that these actors understand the benefits derived from carefully selecting high-value targets as a pivot point for conducting supply chain attacks into fruitful networks.

If two security companies linking the attack to North Korea are not enough, Mandiant Inc. makes it three: The Google LLC-owned security company also confirmed the intrusion came from North Korea.

“Mandiant is currently working with a downstream victim that was compromised as a result of JumpCloud intrusion,” a spokesperson from Mandiant told Security Week today. “Based on our initial analysis, Mandiant assesses with high confidence that this is a cryptocurrency-focused element within the DPRK’s Reconnaissance General Bureau, targeting companies with cryptocurrency verticals to obtain credentials and reconnaissance data.”

Given the attention, JumpCloud has since confirmed that the attack was North Korean, saying in an updated blog post that fewer than five JumpCloud customers and fewer than ten devices were impacted out of the company’s more than 200,000 customers.

“We continue our ongoing investigation with US federal law enforcement and CrowdStrike,” JumpCloud said in the updated post. “We remain in contact with our impacted customers.”

Image: Bing Image Creator