JumpCloud intrusion – Attacker infrastructure links compromise to North Korean APT activity


In recent news, the cloud-based IT management service JumpCloud publicly shared details gathered from the investigation into an intrusion on their network. Having reviewed the newly released indicators of compromise, SentinelLabs associated the cluster of threat activity to a North Korean state sponsored APT.

The indicators of compromise (IOCs) are linked to a wide variety of activity SentinelLabs attributed to the Democratic People’s Republic of Korea (DPRK), overall centric to the supply chain targeting approach seen in previous campaigns.

Additionally, based on the IOCs shared by JumpCloud, SentinelLabs were able to analyse the threat actor’s infrastructure and, by mapping it out, they showed the links between the diverse set of IP addresses and pick up various patterns.


It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks. The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions. The DPRK demonstrates a profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks.

SentinelLabs have shared their analysis in this report published today.