JumpCloud Says Nation State Hackers Targeted Customers

Directory, identity, and access management solutions provider JumpCloud has disclosed customer impact following a nation-state cyberattack.

After resetting customer API keys on July 5, the company revealed last week that the security measure was triggered as part of its response to a cyberattack perpetrated by a “sophisticated nation-state sponsored threat actor”. The threat actor or the country allegedly sponsoring it have not been named. 

The attack started on June 22 with a spear-phishing campaign that led to unauthorized access to a specific area of JumpCloud’s infrastructure.

After discovering anomalous activity on an internal orchestration system on June 27, the company reset credentials and took additional security measures.

On July 5, after discovering unusual activity “in the commands framework for a small set of customers”, the company reset all admin API keys and started notifying the impacted customers.

“At this point in time, we had evidence of customer impact and began working closely with the impacted customers to help them with additional security measures,” JumpCloud said.

The company’s investigation into the incident uncovered that the threat actor injected data into the company’s commands framework. According to JumpCloud, the attack vector has been mitigated.

Advertisement. Scroll to continue reading.

“The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers,” JumpCloud said, without providing information on the exact number of impacted customers.

“These are sophisticated and persistent adversaries with advanced capabilities,” the company also noted.

JumpCloud notified law enforcement of the attack and published a list of indicators of compromise (IOCs) to help other organizations identify similar attacks.

“These are sophisticated and persistent adversaries with advanced capabilities. Our strongest line of defense is through information sharing and collaboration. That’s why it was important to us to share the details of this incident and help our partners to secure their own environments against this threat,” the company said.

SecurityWeek has emailed JumpCloud for additional information on the attack and will update this article if a reply arrives.

JumpCloud provides single sign-on, multi-factor authentication, and other cloud and device security solutions to more than 180,000 organizations.

Related: Critical Infrastructure Services Firm Ventia Takes Systems Offline Due to Cyberattack

Related: Gas Stations Impacted by Cyberattack on Canadian Energy Giant Suncor

Related: Microsoft Says Early June Disruptions to Outlook, Cloud Platform, Were Cyberattacks

READ MORE HERE