North Korean hackers targeted tech companies through JumpCloud and GitHub

North Korean state-sponsored hackers have been linked to two recent cyberattack campaigns: one involving a spear-phishing attack on JumpCloud and the other targeting tech employees on GitHub through a social engineering campaign.

The JumpCloud intrusion

On June 27, JumpCloud – an enterprise software company that offers a cloud-based directory as a service platform – noticed some unusual activity on an internal orchestration system and traced it back to a spear-phishing attack that occurred on June 22.

Even though they quickly jumped to action after those first indications and activated their incident response plan, it took them until July 5 to discover unusual activity in the commands framework for some customers.

“Continued analysis uncovered the attack vector: data injection into our commands framework. The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers,” the company noted.

“Fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations who rely on the JumpCloud platform for a variety of identity, access, security, and management functions,”

Further investigation by JumpCloud and Crowdstrike confirmed that hack was carried out by a North Korean state-sponsored group.

Mandiant’s investigation involving a downstream victim organization that was compromised as a result of the JumpCloud intrusion confirmed this. The attackers targeted companies with cryptocurrency verticals to obtain credentials and reconnaissance data, they say.

JumpCloud has released indicators of compromise to help clients secure their systems.

The GitHub social engineering campaign

GitHub has warned about a low-volume social engineering campaign targeting personal accounts of employees (developers) of technology firms in the blockchain, cryptocurrency, or online gambling sectors.

The attack starts with the threat actor creating fake accounts (or hijacking existing ones) on GitHub and other social networks, posing as a developer or recruiter.

“After establishing contact with a target, the threat actor invites the target to collaborate on a GitHub repository and convinces the target to clone and execute its contents,” Alexis Wales, GitHub’s VP of Security Operations, explained.

“The GitHub repository contains software that includes malicious npm dependencies. Some software themes used by the threat actor include media players and cryptocurrency trading tools.”

Functioning as first-stage malware, these npm packages then download and execute second-stage malware on the victim’s device.

“We assess with high confidence that this campaign is associated with a group operating in support of North Korean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the US Cybersecurity and Infrastructure Security Agency (CISA),” Wales added.

GitHub has also shared the indicators of compromise.

North Korean hackers playing pretend

North Korean state-sponsored hackers are well known for their cyber efforts aimed at stealing cryptocurrency to finance the relatively isolated nation-state. Their targets range from national banks to crypto-companies.

Last year, the US Department of State warned about North Korean hackers taking advantage of the worldwide skill shortage to infiltrate companies by applying for software development and other IT jobs as freelancers.

Once gaining privileged access as contractors, they can enable malicious cyber intrusions by other North Korean threat actors.

UPDATE (July 25, 2023, 06:40 a.m. ET):

Madiant has shared indicators of compromise related to their investigation at one of JumpCloud’s impacted customers, as well as detection (YARA) rules. They also shared how an OPSEc mistake by the attackers helped them attribute the attack to North Korean hackers.