JumpCloud Says Systems Were Breached By Nation-State Group

The identity security firm says a ‘sophisticated’ nation-state group breached its systems through a spear-phishing campaign and targeted a small set of customers. ‘These are sophisticated and persistent adversaries with advanced capabilities,’ Bob Phan, JumpCloud’s chief security information officer writes.

Identity security firm JumpCloud said a “sophisticated” nation-state group recently breached its systems to target a small set of customers.

The Louisville, Colorado-based vendor disclosed the security incident in a blog post last Tuesday and said it decided to publish details of the attack after working with impacted customers and mitigating the attack vector.

[Related: JumpCloud Cuts 100 Jobs, Cites ‘Health Of The Business’]

“We have also been working with our incident response partners and law enforcement on both our investigation and steps designed to make our systems and our customers’ operations even more secure,” wrote Bob Phan, JumpCloud’s chief information security officer.

Phan said JumpCloud discovered “anomalous activity on an internal orchestration system” on June 27 and traced the activity back to a “sophisticated spear-phishing campaign perpetrated by the threat actor” five days earlier.

While the company didn’t notice any customer impact at the time, it took several measures to secure its network and perimeter “out of an abundance of caution,” including rotating credentials and rebuilding infrastructure, according to Phan.

It was at this time that JumpCloud activated its prepared incident response plan, began working with law enforcement to investigate the incident and worked with its incident response partner to “analyze all systems and logs for potential activity,” Phan said.

Several days later, JumpCloud discovered “evidence of customer impact” on July 5 after finding “unusual activity” in the commands framework of its platform, Phan said. The commands framework lets users execute scripts for things such as deploying files, installing software and scheduling maintenance, according to JumpCloud’s website.

Phan said JumpCloud “began working closely with the impacted customers to help them with additional security measures” while also forcing a rotation of all admin API keys.

An analysis of the unusual activity in JumpCloud’s commands framework revealed that the threat actor breached customers’ operations through data injection, according to Phan. The company also confirmed through the analysis that “the attack was extremely targeted and limited to specific customers.”

Using its findings, JumpCloud created and share on its website a list of malicious IP addresses and hashes observed in the security incident to “block and avoid at all costs.”

“These are sophisticated and persistent adversaries with advanced capabilities. Our strongest line of defense is through information sharing and collaboration,” Phan said. “That’s why it was important to us to share the details of this incident and help our partners to secure their own environments against this threat.”