North Korean nation-state actors linked to the Reconnaissance General Bureau (RGB) have been connected to the JumpCloud hack due to a security oversight that exposed their IP address. The threat intelligence firm Mandiant, owned by Google, attributes the activity to UNC4899, which has similarities with other groups known as Jade Sleet and TraderTraitor. These actors have a history of targeting the blockchain and cryptocurrency sectors.
The group UNC4899, or APT43, has been involved in intelligence gathering and cryptocurrency theft from targeted companies. They utilize Operational Relay Boxes (ORBs) with L2TP IPsec tunnels and commercial VPN providers to conceal their true origin, with commercial VPNs acting as the final hop.
The recent JumpCloud attack, initiated through a spear-phishing campaign, targeted a software solutions entity on June 22, 2023. The attack leveraged a malicious Ruby script (“init.rb”) executed via the JumpCloud agent on June 27, 2023. The incident specifically targeted four Apple systems running macOS Ventura versions 13.3 or 13.4.1, highlighting the actors’ focus on tailored malware for the platform.
The attackers gained initial access by compromising JumpCloud and inserting malicious code into their commands framework. They utilized a lightweight Ruby script to download and execute a second-stage payload called FULLHOUSE.DOORED, followed by deploying additional malware like STRATOFEAR and TIEDYE. TIEDYE showed similarities to RABBITHUNT, a C++ backdoor with communication capabilities over TCP.
The Mandiant analysis also links this campaign to an earlier DPRK supply chain compromise, suggesting a financially motivated motive related to targeting cryptocurrency and fintech assets. The report indicates that the threat actors are exploiting vulnerabilities in open-source packages to maximize their reach and distribute malware effectively.
North Korea has a history of using cryptocurrency heists to fund its nuclear weapons program and carrying out cyber espionage for strategic intelligence gathering. The Lazarus Group, known for its state-sponsored attacks, is a prominent threat actor associated with North Korea. Another group, Kimsuky, focuses on spear-phishing attacks against Korean users, distributing malware through disguised document files.
Overall, the North Korean intelligence apparatus shows flexibility and resilience, creating cyber units to meet the country’s needs. These actors employ shared resources, infrastructure, and tactics to execute cyber operations effectively, making them a highly active and dangerous threat group worldwide.