Nation-State Threat Actor Behind JumpCloud Cybersecurity Incident, Specific Customers Targeted

JumpCloud, the open directory and device management platform provider, suffered from a cybersecurity incident it says impacted a small and specific set of its customers.

JumpCloud said a sophisticated nation-state sponsored threat actor was behind the attack. Bob Phan, JumpCloud’s CISO, detailed the cybersecurity incident in a blog.

JumpCloud’s Bob Phan

“Prior to sharing this information, we notified and worked with the impacted customers,” he said. “We have also been working with our incident response (IR) partners and law enforcement on both our investigation, and steps designed to make our systems and our customers’ operations even more secure. The attack vector used by the threat actor has been mitigated.”

Origin of Cybersecurity Incident

On June 27, JumpCloud discovered anomalous activity on an internal orchestration system which it traced back to a sophisticated spear-phishing campaign perpetrated by the threat actor on June 22, Phan said.

“That activity included unauthorized access to a specific area of our infrastructure,” he said. “We did not see evidence of customer impact at that time. Out of an abundance of caution, we rotated credentials, rebuilt infrastructure, and took a number of other actions to further secure our network and perimeter. Additionally, we activated our prepared incident response plan and worked with our IR partner to analyze all systems and logs for potential activity. It was also at this time, as part of our IR plan, that we contacted and engaged law enforcement in our investigation.”

On July 5, JumpCloud discovered unusual activity in the commands framework for a small set of customers, Phan said.

“At this point in time, we had evidence of customer impact and began working closely with the impacted customers to help them with additional security measures,” he said. “We also decided to perform a force-rotation of all admin API keys. We immediately notified customers of this action.”

Continued analysis uncovered the attack vector was data injection into JumpCloud’s commands framework. The analysis also confirmed suspicions that the attack was “extremely targeted and limited to specific customers,” Phan said.

“What we learned allowed us to create and now share a list of indicators of compromise (IOCs) that we have observed for this campaign,” he said. “These are sophisticated and persistent adversaries with advanced capabilities. Our strongest line of defense is through information sharing and collaboration. That’s why it was important to us to share the details of this incident and help our partners to secure their own environments against this threat. We will continue to enhance our own security measures to protect our customers from future threats, and will work closely with our government and industry partners to share information related to this threat.”