New Delhi:- Security researchers believe North Korean hackers were behind the recent breach of enterprise software company JumpCloud due to a hacker error.
Mandiant, who supports one of his JumpCloud affected customers, believes the breach was by hackers affiliated with the North Korean Reconnaissance General Bureau (RGB).
RGB is a hacking organization that targets cryptocurrency companies and steals passwords from executives and security teams. North Korea has long used cryptocurrency theft to fund its sanctioned nuclear weapons program.
In a blog post, Mandiant said the hacking organization, called UNC4899 (as it is a new unclassified threat group), accidentally exposed his real IP address.
North Korean hackers often used commercial VPN services to spoof IP addresses, but "often" VPNs didn't work or hackers didn't use VPNs to access victims' networks, exposing access from North Korea.
Mandiant said the evidence backed up "OPSEC's failure," citing operational security, a way to prevent hackers from exposing information about their activities as part of a hacking campaign.
The researchers said they also found additional infrastructure used in the intrusion and exploited by hackers previously attributed to North Korea.
“North Korean nexus threat actors continue to hone their cyberattack capabilities to steal cryptocurrencies,” Mandiant CTO Charles Carmakal said. “Ultimately they want to compromise the cryptocurrency business and have found creative ways to get there.
But they are also making mistakes, which they attribute to our multiple interventions. SentinelOne and CrowdStrike also confirmed that North Korea was behind the JumpCloud breach.
JumpCloud said in a short post last week that the North Korean hacking campaign targeted fewer than five corporate customers and fewer than 10 devices. JumpCloud reset customer API keys after a reported breach in June.
JumpCloud has over 200,000 enterprise customers including GoFundMe, ClassPass and Foursquare.
North Korean Hackers who targeted the JumpCloud reveiled the IP addresses as the VPN they use have failed to keep the secret of the intusion.