North Korean hacking group Labyrinth Chollima breached US IT firm JumpCloud to steal cryptocurrency

livemint.com:

A hacking group Labyrinth Chollima, backed by North Korean government, penetrated IT management company JumpCloud in the US and used it as a springboard to target cryptocurrency companies, the IT firm said on Thursday.

In a blog post, JumpCloud said that the hackers broke into the IT firm in late June and used their access to the company’s systems to target "fewer than 5" of its clients.

JumpCloud did not identify the customers affected, but cybersecurity firms CrowdStrike Holdings - which is assisting JumpCloud - and Alphabet-owned Mandiant - which is assisting one of JumpCloud's clients - both said the hackers involved were known to focus on cryptocurrency theft.

A Reuters report said two people familiar with the matter confirmed that the JumpCloud clients targeted by the hackers were cryptocurrency companies.

“North Korea in my opinion is really stepping up their game," Tom Hegel, who works for US firm SentinelOne, told Reuters and also independently confirmed Mandiant and CrowdStrike's attribution.

CrowdStrike identified the hackers as "Labyrinth Chollima" - one of several groups alleged to operate on North Korea's behalf. Mandiant said the hackers responsible worked for North Korea's Reconnaissance General Bureau (RGB), its primary foreign intelligence agency.

The hack on JumpCloud – whose products are used to help network administrators manage devices and servers – first surfaced publicly earlier this month when the firm emailed customers to say their credentials would be changed “out of an abundance of caution relating to an ongoing incident." 

In an earlier version of the blog post that acknowledged that the incident was a hack, JumpCloud traced the intrusion back to June 27. The cybersecurity-focused podcast