A hacking unit from North Korea’s Reconnaissance General Bureau (RGB) has been linked to the JumpCloud breach after the attackers committed an operational security error (OPSEC), inadvertently exposing their real IP addresses.
The hacking group, tracked as UNC4899 by Mandiant, has previously been observed using a combination of commercial VPNs and operational relay boxes (ORBs) using IPsec L2TP tunnels to mask their real location.
Mandiant claims that UNC4899 threat actors have used numerous VPN providers for this purpose in previous campaigns, including ExpressVPN, NordVPN, TorGuard and others.
While North Korean hackers have been known to use commercial VPN services to hide their real IP addresses and locations, during the JumpCloud attack the VPNs they were using failed and revealed their location to Pyongyang when connecting to a victim’s network.
“Mandiant observed DPRK threat actor UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]subnet 0/24,” the researchers said.
“Additionally, we observed that the DPRK threat actor connected directly to a Pyongyang IP address, from one of their junction boxes. Our evidence confirms that this was an error by OPSEC, as the connection to the North Korean netblock was short-lived.”
In addition to this OPSEC monitoring, Mandiant security researchers also found that the attack infrastructure overlapped with previously associated hacks linked to North Korean hackers, further reinforcing the attribution of the breach to North Korean hackers.
“We assess with high confidence that UNC4899 is a cryptocurrency-focused group that falls under the RGB. The targeting of UNC4899 is selective, and they have been observed to access victims’ networks via JumpCloud,” Mandiant added.
“Mandiant observed that UNC2970, APT43 and UNC4899 all use similar infrastructure.”
Austin Larsen, a senior incident response consultant, told BleepingComputer that the attackers also struck a downline victim following their breach of JumpCloud.
Mandiant anticipates that other victims may currently be dealing with the repercussions of this attack.
JumpCloud forced rotation of all admin API keys on July 5, a week after the hacker breached his network via a spear-phishing attack.
Although the company has now attributed the attack, it has not yet disclosed the number of customers affected.
Colorado-based JumpCloud is a directory-as-a-service operational platform that provides single sign-on and multi-factor authentication services to a vast network of more than 180,000 organizations spanning more than 160 countries.