Scroll Top

North Korean cyber group UNC4899 suspected in breach targeting JumpCloud’s Zero-Trust directory platform


In a recent development, a North Korean threat group has been linked to a breach targeting JumpCloud, a renowned zero-trust directory platform service used for identity and access management. According to a security advisory published by Mandiant on Monday, the compromise originated from a sophisticated spear-phishing campaign.

JumpCloud, in its security incident disclosure updated on July 20, revealed that the unauthorized access affected fewer than five customers and less than ten devices. However, as Mandiant delved deeper into the attack, they identified the intrusions to be the work of UNC4899, a hacking group associated with the Democratic People’s Republic of Korea (DPRK).

UNC4899 is known for its focus on targeting companies in the cryptocurrency sector, and Mandiant’s investigation indicates a high likelihood that the group operates under the DPRK’s Reconnaissance General Bureau (RGB). This alignment of state-sponsored threats with cyber-criminal activity blurs the line between financial and intelligence motivations, creating a complex challenge for cybersecurity experts.

Mike Parkin, senior technical engineer at Vulcan Cyber, remarked, “Assuming attribution to the DPRK is correct, it reinforces the image that in the context of cybercrime, they have little interest in being part of the solution.”

During their inquiry, Mandiant uncovered that the attack path initiated with a Ruby script executed via the JumpCloud agent at a downstream customer, which allowed the threat actor to deploy multiple backdoors. These backdoors granted the attacker persistence and facilitated the execution of various commands on the compromised systems.

Corey O’Connor, director of products at DoControl, emphasized the importance of extending security measures beyond the identity layer, particularly as SaaS applications and service providers become primary targets for supply chain-based attacks. He stated, “An organization’s identity layer serves as the new perimeter. Neglecting this reality, and choosing not to extend strong security controls further down the stack, will leave organizations vulnerable to these types of advanced nation-state attacks.”

Mandiant also revealed that UNC4899 and other DPRK threat actors have occasionally made operational security mistakes, exposing their true IP addresses and revealing their North Korean origins. This slip-up provides valuable insights for cybersecurity experts tracking and countering such cyber-espionage operations.

Organizations are urged to take note of this emerging threat and bolster their security posture accordingly. For more detailed information about this breach and the threat posed by UNC4899, refer to Mandiant’s original advisory.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.