US-based enterprise software firm JumpCloud says a state-backed hacking group breached its systems almost one month ago as part of a highly targeted attack focused on a limited set of customers.
The company discovered the incident on June 27, one week after the attackers breached its systems via a spear-phishing attack.
While JumpCloud did not find evidence that its customers were impacted at the time, the company decided to rotate credentials and rebuild compromised infrastructure.
On July 5, JumpCloud discovered “unusual activity in the commands framework for a small set of customers” while investigating the attack and analyzing logs for signs of malicious activity in collaboration with IR partners and law enforcement.
The same day, the company force-rotates all admin API keys to protect customers’ organizations and notifies them to generate new keys.
“Continued analysis uncovered the attack vector: data injection into our commands framework. The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers,” JumpCloud CISO Bob Phan said.
“These are sophisticated and persistent adversaries with advanced capabilities. Our strongest line of defense is through information sharing and collaboration.”
Together with the incident details shared in the advisory JumpCloud also released indicators of compromise (IOCs) to allow partners to secure their networks from similar attacks from the same threat group.
JumpCloud has yet to provide any information on the number of customers impacted by the attack and hasn’t linked the APT group behind the breach with a specific state.
“We will continue to enhance our own security measures to protect our customers from future threats and will work closely with our government and industry partners to share information related to this threat,” Phan said.
In January, JumpCloud also investigated the potential impact of a CircleCI security incident on its customers.
Founded in 2013 and headquartered in Louisville, Colorado, the JumpCloud directory-as-a-service platform provides single sign-on and multi-factor authentication services to over 180,000 organizations in more than 160 countries.