Cloud Security, Supply chain, Threat Management

North Korean threat group targeted JumpCloud SaaS-provider customer

North Korea bitcoin flag

Mandiant Consulting confirmed on Monday that one of the five customers identified by JumpCloud in the recent supply chain attacks on the cloud-based service was carried out by UNC4899, a North Korean threat actor with a history of targeting companies within the cryptocurrency industry.

In a blog post July 24, Mandiant Consulting researchers said they assessed with “high confidence” that UNC4899 operates as a cryptocurrency-focused actor within the Democratic People’s Republic of North Korea’s Reconnaissance General Bureau.

The Mandiant researchers said UNC4899 likely tracks to TraderTraitor a financially motivated North Korean threat group that primarily targets blockchain-related companies.

While researching the incident on June 27, Mandiant identified a malicious Ruby script executed via a JumpCloud agent for a JumpCloud customer, a software-as-a-service (SaaS) solutions provider. JumpCloud confirmed the command framework was used for malicious data injection in its security incident disclosure.

“North Korean-nexus threat actors continue to improve their cyber offensive capabilities to steal cryptocurrency,” said Charles Carmakal, chief technology officer at Mandiant Consulting, Google Cloud. “Over the past year, we’ve seen them conduct multiple supply chain attacks, poison legitimate software, and develop and deploy custom malware onto MacOS systems. They ultimately want to compromise companies with cryptocurrency and they’ve found creative paths to get there.”

Corey O’Connor, director of products at DoControl, pointed out that SaaS application and services providers are becoming a primary target for executing a supply chain attack.

“An organization’s identity layer serves as the new perimeter,” said O’Connor. “Neglecting this reality, and choosing to not extend strong security controls further down the stack, will leave organizations vulnerable to these types of advanced nation-state attacks.”

Damir Brescic, chief information security officer at Inversion6, added that UNC4899 has gained notoriety for its advanced cyber capabilities and persistent targeting of various industries, including financial institutions, government entities, and technology companies.

“The attribution by Mandiant underscores the importance of maintaining robust cyber measures within the cryptocurrency industry, as threat actors such as UNC4899 continue to exploit vulnerabilities in their relentless pursuit of illicit gains,” said Brescic. “This sophisticated attack campaign specifically targeted companies operating within the cryptocurrency vertical, highlighting the group’s continued interest in the sector.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.