JumpCloud: A 'state-sponsored threat actor' compromised our systems

Firm says the threat actor was 'sophisticated' and 'persistent'

JumpCloud, an enterprise directory platform facilitating user and device authentication and management, has reported a security breach by a state-backed hacking group, directed towards a "small and specific" group of customers.

While it did not share the identity of the state-backed group, JumpCloud characterised the threat actor as "sophisticated," with advanced capabilities.

In a recent update, JumpCloud's CISO, Bob Phan, said the company first detected unusual activity on an internal orchestration system on 27th June.

After an investigation, the team traced this activity back to a spear-phishing campaign the attacker launched on 22nd June.

Although JumpCloud did not discover any evidence suggesting its customers were directly affected, it took proactive measures to ensure its system security.

For example, it decided to rotate credentials and rebuild compromised infrastructure to protect its customers from potential risks.

Two weeks later, on 5th July, JumpCloud identified unusual activity in its commands framework, affecting a small group of customers.

In response, the company reset all admin API keys as a security measure and started contacting the affected customers, advising them to generate new API keys.

"Continued analysis uncovered the attack vector: data injection into our commands framework. The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers," Phan said.

JumpCloud did not share the number of customers affected. Neither did it provide a clear explanation of the connection between the June phishing attack and the July data injection incident.

It remains unclear whether the phishing emails directly facilitated the deployment of malware, leading to the attack.

Phan stressed that JumpCloud had mitigated the attack vector the hackers used.

The company has notified law enforcement authorities about the attack and has published a list of indicators of compromise (IOCs).

"Based on our investigation, we have identified the following malicious IP addresses and hashes to block and avoid at all costs. Please use this data to add additional protection to your Endpoint Detection and Response (EDR) and perimeter security solutions," the company wrote.

Phan said the actors responsible for the incident are "sophisticated and persistent adversaries with advanced capabilities.

"Our strongest line of defence is through information sharing and collaboration."

He added, "The security threats that we face, as an industry, are unprecedented and require strong collaboration from all constituents."

JumpCloud, established in 2013 and based in Louisville, Colorado, offers its software to more than 180,000 organisations.

Among these, the company boasts more than 5,000 paying customers, including names like Cars.com, GoFundMe, Grab, ClassPass, Uplight, Beyond Finance and Foursquare.

JumpCloud's disclosure comes just days after Microsoft's announcement of a separate security breach.

Microsoft said a state-backed threat group called Storm-0558, based in China, covertly accessed email accounts in approximately 25 organisations globally, including government agencies in the US and Western Europe.

Although Microsoft did not explicitly disclose the names of the affected organisations or governments, both the US State Department and the Commerce Department confirmed that they were among those impacted by the incident.