An analysis of the indicators of compromise (IoCs) linked to the Jumpcloud hack has revealed intriguing evidence suggesting the involvement of state-sponsored groups from North Korea. This attack exhibits characteristics which appears to be a reminiscent of a Supply Chain attack that previously targeted 3CX.
SentinelOne meticulously mapped out the infrastructure associated with the intrusion, unveiling hidden patterns in the process. Interestingly, JumpCloud had attributed the attack to an unnamed “sophisticated nation-state sponsored threat actor” in a recent statement.
A related development implicates CrowdStrike, currently collaborating with JumpCloud in the investigation, in pinning the attack to a North Korean actor known as Labyrinth Chollima, a subgroup within the infamous Lazarus Group.
The attack served as a “springboard” for targeting cryptocurrency companies, suggesting the adversary’s attempts to generate illegal revenues for their nation, which is under sanctions.
GitHub made a noteworthy discovery of a limited-scale social engineering campaign that specifically targets personal accounts of technology firm employees. The campaign cleverly employs a mix of repository invitations and malevolent npm package dependencies. The focus of these attacks is on accounts associated with the blockchain, cryptocurrency, or online gambling industries, making it a strategically aimed operation.
Threat Actor Also Identified as “Jade Sleet”
The Microsoft subsidiary attributes this campaign to a North Korean hacking group they track under the moniker Jade Sleet (aka TraderTraitor). The attack vectors involve the creation of fake personas on GitHub and other social media platforms such as LinkedIn, Slack, and Telegram. In some instances, the threat actor may have even taken control of legitimate accounts.
Under these assumed personas, Jade Sleet contacts the targets and invites them to collaborate on a GitHub repository, deceiving the victims into cloning and executing the contents. These contents contain decoy software with malicious npm dependencies acting as first-stage malware, eventually leading to the download and execution of second-stage payloads on the infected machines.
SentinelOne’s latest analysis links one of the IP addresses involved in the JumpCloud attack (144.217.92[.]197) to npmaudit[.]com, one of the eight domains listed by GitHub as used to fetch the second-stage malware. Another IP address (23.29.115[.]171) maps to npm-pool[.]org.
The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, offering a plethora of potential subsequent intrusions. North Korea exhibits a profound understanding of the benefits derived from carefully selecting high-value targets as pivot points to conduct supply chain attacks into fruitful networks.
