A recent North Korea-linked hack of a U.S. enterprise software company underscores the continued evolution and streamlining of North Korean cyber operators — and the difficulty of defending against them.
On Monday, Google’s Mandiant tied the hack to a group it identifies as UNC4899, which the company says is a cryptocurrency-focused outfit inside North Korea’s Reconnaissance General Bureau. The attackers apparently infiltrated JumpCloud, a cloud-based IT management service company based in Colorado, in an effort to leapfrog into crypto-related companies.
Mandiant published a detailed analysis of some of the malware hackers used after JumpCloud acknowledged that North Korea was behind the attack. The company said it notified fewer than five of its customers that they were targeted in the operation.
The North Korean supply chain attack follows another from March when hackers targeted financial trading software X_Trader and used that to compromise 3CX desktop communications software as part of a separate financially motivated operation, Mandiant concluded in April.
Taken together, the operations exemplify “the cascading effects of these operations to gain access to service providers in order to compromise downstream victims,” Mandiant wrote. The activities are part of “increased efforts” to target cryptocurrency and fintech-related assets, and the North Korean hackers will continue development of MacOS malware and capabilities “to target high-value individuals within the cryptocurrency industry, and the software solutions they use,” Mandiant wrote.
Various North Korean hacking units, which have been tracked variously under the umbrella term Lazarus by multiple independent research groups and government agencies, are increasingly sharing tooling and targeting in a more “streamlined alignment,” according to Mandiant.
“Operators within these units quickly change their current focus and begin working on separate unrelated efforts such as ransomware, weapons and nuclear targeting, cryptocurrency efforts, etc,” the company wrote. “This seeming ‘streamlining’ of activities by DPRK often makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily and with greater speed.”
Charles Carmakal, Mandiant Consulting CTO, Google Cloud, said in a statement that the company has seen noticeable improvement in North Korean operations over “multiple supply chain attacks,” where the hackers “poison legitimate software, and develop and deploy custom malware onto MacOS systems. They ultimately want to compromise companies with cryptocurrency and they’ve found creative paths to get there. But they also make mistakes that have helped us attribute several intrusions to them.”
During the JumpCloud operation, Mandiant said, the mistakes included virtual private network services used by the hackers occasionally failing, revealing the true IP addresses used in the operations. The group also re-used a domain associated with a previous attack linked to North Korean cyber activity, offering further confirmation of links to the North Korean government.
Tom Hegel, a senior threat researcher with SentinelOne, said in an analysis Thursday that “North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks” and that the JumpCloud episode is a clear indication “of their inclination towards supply chain targeting.”
“The DPRK demonstrates a profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks,” Hegel said.