Dive Brief:

• JumpCloud confirmed the impact of a cyberattack last month was limited to a handful of its customers, the company said Thursday in a security incident update.
• “Fewer than five JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations who rely on the JumpCloud platform for a variety of identity, access, security and management functions,” CISO Bob Phan said in the incident report.
• The identity and access management provider directly notified all impacted customers, Phan said. JumpCloud declined to identify the organizations impacted or say what, if any, data was stolen.

Dive Insight:

The supply-chain attack targeted specific JumpCloud customers operating in the cryptocurrency sector and was carried out by a threat actor linked to the North Korean government, according to security researchers.

JumpCloud’s incident response partner CrowdStrike identifies the prolific threat actor as Labyrinth Cholloma, a sub-group of Lazarus that has been active since at least 2009.

SentinelOne and Mandiant also attributed the spear-phishing attack to an APT actor linked to North Korea. Mandiant said it’s currently working with a downstream victim that was compromised by the JumpCloud intrusion starting June 27.

“Mandiant assesses this campaign was primarily focused on obtaining credentials from priority targets and reconnaissance data for future intrusions,” Austin Larsen, senior incident response consultant at Mandiant, a Google Cloud unit, said via email.

“This is a financially motivated threat actor that we’ve seen increasingly target the cryptocurrency industry and various blockchain platforms,” Larsen said. “We anticipate there are other victims that are dealing with this.”

Security researchers used the indicators of compromise shared by JumpCloud earlier this week to make their attributions. JumpCloud’s investigation with federal law enforcement and CrowdStrike remains ongoing.

JumpCloud first discovered anomalous activity on an internal orchestration system on June 27, which it linked to a June 22 spear-phishing attack that involved data injection into the company’s commands framework. The company said it first observed evidence of customer impact on July 5, when the company invalidated and reset the API keys for all administrators.

JumpCloud provides multidirectory management, identity and access management, multifactor authentication, single sign-on and integration with various third-party services.

The company did not respond to a request for additional information.

“JumpCloud is committed to the highest security standards in the industry, rapid response and mitigation for the safety of our customers, and open communication for the benefit of the industry,” Phan said.