A recent supply chain attack against a U.S. software company has been linked to the data breach at JumpCloud that was reported last month, according to cybersecurity firm Mandiant. JumpCloud, a cloud provider that offers identity and access management services, disclosed in early July that it had been breached by a nation-state threat actor through a spear phishing campaign. The breach involved the compromise of JumpCloud’s commands framework, which was then used to carry out targeted attacks against a small number of customers.
Mandiant, which is owned by Google Cloud, provided further details on the attack in a recent blog post. The firm stated that it had responded to a supply chain attack against a U.S. software company that was also a JumpCloud customer. The attack is believed to have started with a sophisticated spear phishing campaign aimed at JumpCloud. Mandiant discovered a malicious script on June 27 that had been executed by a JumpCloud agent at the software company. This script, written in the Ruby programming language, was designed to download and execute a second payload.
Within 24 hours of gaining access to the customer’s environment, the threat actor established persistent access through backdoors and plist files. Mandiant determined that the supply chain attack was carried out by UNC4899, a group linked to the Democratic People’s Republic of Korea (DPRK). UNC4899, which has targeted cryptocurrency companies in the past, is believed to be a cryptocurrency-focused group within the DPRK’s intelligence agency known as the Reconnaissance General Bureau (RGB).
This specific attack involved the targeting of MacOS keychains and reconnaissance data associated with executives and internal security teams. Mandiant also suggested that UNC4899 likely corresponds to a DPRK-affiliated advanced persistent threat group known as TraderTraitor. Last year, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on TraderTraitor.
The attribution of the JumpCloud breach to a DPRK state-sponsored actor was further supported by cybersecurity firm SentinelOne. JumpCloud published an update stating that its incident response provider, CrowdStrike, had confirmed the affiliation of the threat actor with the DPRK. According to JumpCloud, fewer than five customers and 10 devices were affected by the subsequent attacks.
In its report, Mandiant noted that UNC4899 made an operational security error in its recent attacks. The group typically uses operational relay boxes (ORBs) and commercial VPNs to hide its identity, but in this case, Mandiant observed direct connections to an attacker-controlled ORB from a subnet address in Pyongyang, North Korea. This slip-up temporarily revealed the connection to the North Korean netblock.
Mandiant also warned of the increasing supply chain threats from DPRK threat groups. The recent JumpCloud breach and the 3CX supply chain compromise earlier this year highlight the potential cascading effects of breaching service providers to gain access to downstream customers. Mandiant suspects that financially motivated DPRK actors are targeting select entities, particularly those involved in cryptocurrency and fintech, using supply chain tactics and techniques.
Overall, the supply chain attack discovered by Mandiant serves as a reminder of the ongoing threat to software companies and their customers. The incident highlights the need for robust cybersecurity measures, including regular threat intelligence assessments, increased scrutiny of third-party service providers, and a strong incident response plan to mitigate and respond to attacks effectively.