Exclusive-North Korean hackers breached a US tech company to steal crypto-sources

By Christopher Bing and Raphael Satter

WASHINGTON (Reuters) -A North Korean government-backed hacking group penetrated an American IT management company and used it as a springboard to target cryptocurrency companies, according to two sources familiar with the matter.

The hackers broke into Louisville, Colorado-based JumpCloud in late June and used their access to the company’s systems to target its cryptocurrency company clients in an effort to steal digital cash, the sources said.

The hack shows how North Korean cyber spies, once content with going after crypto companies one at a time, are now tackling companies that can give them access to multiple sources of bitcoin and other digital currencies.

JumpCloud, which acknowledged the hack in a blog post last week and blamed it on a “sophisticated nation-state sponsored threat actor,” did not respond to Reuters’ questions about who was behind the hack and which clients were affected.

A JumpCloud spokesperson said fewer than five customers had been impacted. Reuters could not ascertain whether any digital currency was ultimately stolen as a result of the hack.

Cybersecurity firm CrowdStrike Holdings, which is working with JumpCloud to investigate the breach, confirmed that “Labyrinth Chollima” – the name it gives to a particular squad of North Korean hackers – was behind the breach.

CrowdStrike Senior Vice President for Intelligence Adam Meyers declined to comment on what the hackers were seeking, but noted that they had a history of targeting cryptocurrency targets.

“One of their primary objectives has been generating revenue for the regime,” he said.

Pyongyang’s mission to the United Nations in New York did not immediately respond to a request for comment. North Korea has previously denied organizing digital currency heists, despite voluminous evidence – including U.N. reports – to the contrary.

Independent research backed CrowdStrike’s allegation.

Cybersecurity researcher Tom Hegel, who wasn’t involved in the investigation, told Reuters that the JumpCloud intrusion was the latest of several recent breaches that showed how the North Koreans have become adept at “supply chain attacks,” or elaborate hacks that work by compromising software or service providers in order to steal data – or money – from users downstream.

“North Korea in my opinion is really stepping up their game,” said Hegel, who works for U.S. firm SentinelOne.

In a blog post to be published Thursday, Hegel said the digital indicators published by JumpCloud tied the hackers to activity previously attributed to North Korea.

The U.S. cyber watchdog agency CISA and the FBI declined to comment.

The hack on JumpCloud – whose products are used to help network administrators manage devices and servers – first surfaced publicly earlier this month when the firm emailed customers to say their credentials would be changed “out of an abundance of caution relating to an ongoing incident.”

In the blog post that acknowledged that the incident was a hack, JumpCloud traced the intrusion back to June 27. The cybersecurity-focused podcast Risky Business earlier this week cited two sources as saying that North Korea was a suspect in the intrusion.

Labyrinth Chollima is one of North Korea’s most prolific hacking groups and is said to be responsible for some of the isolated country’s most daring and disruptive cyber intrusions. Its theft of cryptocurrency has led to the loss of eye-watering sums: Blockchain analytics firm Chainalysis said last year that North Korean-linked groups stole an estimated $1.7 billion worth of digital cash across multiple hacks.

CrowdStrike’s Meyers said Pyongyang’s hacking squads should not be underestimated.

“I don’t think this is the last we’ll see of North Korean supply chain attacks this year,” he said.

(Reporting by Christopher Bing and Raphael Satter in Washington; Additional reporting by James Pearson in London and Michelle Nichols in New York; Editing by Anna Driver and Bernadette Baum)