Daily Management Review

Crypto Stolen By North Korean Hackers After Breaching A US Tech Firm


According to the company and cybersecurity specialists, a hacking organisation supported by the North Korean government infiltrated an American IT management company and used it as a launching pad to attack bitcoin companies.
JumpCloud, based in Louisville, Colorado, stated in a blog post that the hackers targeted "fewer than 5" of its customers after breaking into the company's systems in late June.
While cybersecurity companies CrowdStrike Holdings, which is aiding JumpCloud, and Alphabet-owned Mandiant, which is assisting one of JumpCloud's clients, both indicated the hackers involved were known to specialise in bitcoin theft, JumpCloud did not identify the customers affected.
Two sources with knowledge of the situation verified that the bitcoin companies were the JumpCloud clients that were targeted by the hackers.
The hack demonstrates how North Korean cyberspies, who were previously happy to target digital currency companies one at a time, are now taking on businesses that can provide them more access to several victims downstream – a strategy known as a "supply chain attack."
“North Korea in my opinion is really stepping up their game,” said Tom Hegel, who works for U.S. firm SentinelOne (S.N) and independently confirmed Mandiant and CrowdStrike's attribution.
A request for response was not answered by Pyongyang's envoy to the UN in New York. Despite overwhelming evidence, including U.N. investigations, to the contrary, North Korea has in the past denied planning digital currency heists.
The hackers were identified by CrowdStrike as "Labyrinth Chollima"—one of numerous groups allegedly working for North Korea. The Reconnaissance General Bureau (RGB), North Korea's main foreign intelligence agency, is where Mandiant claimed the hackers in question were employed.
There were no comments on the issue from the U.S. cyber watchdog agency CISA and the FBI.
JumpCloud's hack was made public for the first time earlier this month when the company sent emails to its clients informing them that their login credentials would be changed "out of an abundance of caution relating to an ongoing incident."
JumpCloud located the incursion on June 27 in an earlier draught of the blog post that admitted the incident was a hack. North Korea was mentioned as a suspect in the intrusion earlier this week, according to two sources quoted by the cybersecurity-focused podcast Risky Business.
One of North Korea's most active hacker groups, Labyrinth Chollima, is thought to be behind some of the most audacious and disruptive online assaults ever.
A staggering amount of money has been lost as a result of its cryptocurrency theft: An estimated $1.7 billion in digital currency was stolen by North Korean-linked entities, according to data from blockchain analytics company Chainalysis last year.
The intelligence division of CrowdStrike Senior Vice President Adam Meyers warned against underestimating Pyongyang's hacking teams.
"I don't think this is the last we'll see of North Korean supply chain attacks this year," he said.