The North Korean group behind the JumpCloud breach left digital footprints behind that allowed researchers to trace their IP addresses.
The breach first emerged last week.
Google-owned security outfit Mandiant has attributed the attack to North Korean group UNC4889, partly because of VPN failures and user errors that exposed the source addresses of traffic.
The group used a series of relay boxes to send traffic over IPsec-encrypted Layer 2 Tunnelling Protocol tunnels to obscure their addresses; alternatively, commercial VPN providers were used.
The commercial providers used included ExpressVPN, NordVPN, TorGuard and others.
Sometimes, Mandiant explained, someone “fumbled”: “DPRK threat actors did not employ this last hop, or mistakenly did not utilise this while conducting actions on operations on the victim’s network.”
In addition: “The VPNs used by RGB actors occasionally fail, which reveals the IP addresses of the actor’s true origins … Our evidence supports that this was an OPSEC slip up since the connection to the North Korean netblock was short-lived.”
Mandiant said the attacks on JumpCloud used a software supply chain attack. The attackers compromised JumpCloud and inserted malicious commands into a Ruby script that was part of the company’s commands framework.
The customer Mandiant analysed was infected with the malicious script in a spear phishing attack, and the script then downloaded and executed a stage two payload.
This gave the attacker the chance to install backdoors, with persistence granted via plists.
While JumpCloud has not identified who was affected, Mandiant said the attackers were most interested in cryptocurrency theft.