Recently, JumpCloud, a cloud-based IT management service, disclosed details about a security breach on their network. The company also shared a list of indicators of compromise (IOCs) and attributed the attack to a sophisticated nation-state sponsored threat actor. Upon analyzing these IOCs, we have found connections to a North Korean state-sponsored Advanced Persistent Threat (APT) group. The IOCs are associated with a broad range of activities that we attribute to the Democratic People's Republic of Korea (DPRK), primarily focusing on supply chain targeting, a strategy seen in their previous campaigns.
Analyzing the Attacker's Infrastructure
We analyzed the threat actor's infrastructure based on the IOCs shared by JumpCloud. The analysis involved mapping out the infrastructure, which revealed connections between a diverse set of IP addresses and revealed various patterns. However, it's important to note that triggering alerts on certain IP addresses alone can be misleading, as some are shared hosting servers for many domains and not necessarily indicative of malicious activity.
Connections to Other Incidents
Interestingly, one of the indicators shared by JumpCloud was recently associated with a security alert from GitHub. It's unclear at this point whether the GitHub alert originated from the JumpCloud incident or if they are separate efforts by the same attacker. Furthermore, we found a domain related to another IP address that is quite similar to the domains shared in the GitHub alert.
Patterns and Attribution
While not a strong indicator of attribution alone, it's noteworthy that specific patterns in how the domains are constructed and used follow a similar pattern to other DPRK linked campaigns we track. Additional pivots of potential interest can be made through other IPs, leading to a variety of low confidence attacker-associated infrastructure.
Expansion of Threat Activity
By profiling the associated infrastructure from both the JumpCloud intrusion and the GitHub security alert, we can expand to further associated threat activity. For example, we can see clear links to other NPM and “package” themed infrastructure we associate with high to medium confidence.
The evidence suggests that North Korean threat actors are continuously adapting and exploring new methods to infiltrate targeted networks. The JumpCloud intrusion is a clear example of their preference for supply chain targeting, which provides a multitude of potential subsequent intrusions. The DPRK shows a deep understanding of the benefits of carefully selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks.