JumpCloud Intrusion | Attacker Infrastructure Links Compromise to North Korean APT Activity
Contents
In recent news, the cloud-based IT management service JumpCloud publicly shared details gathered from the investigation into an intrusion on their network. Alongside the updated details, the organization shared a list of associated indicators of compromise (IOCs), noting attribution to an unnamed “sophisticated nation-state sponsored threat actor”.
Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state sponsored APT. The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.
Infrastructure Analysis
Based on the IOCs shared by JumpCloud, we were able to analyze the threat actor’s infrastructure. The following list is our starting point:
Domains
|alwaysckain.com||canolagroove.com||centos-pkg.org|
|centos-repos.org||datadog-cloud.com||datadog-graph.com|
|launchruse.com||nomadpkg.com||nomadpkgs.com|
|primerosauxiliosperu.com||reggedrobin.com||toyourownbeat.com|
|zscaler-api.org|
IP Addresses
|51.254.24.19||185.152.67.39||70.39.103.3|
|66.187.75.186||104.223.86.8||100.21.104.112|
|23.95.182.5||78.141.223.50||116.202.251.38|
|89.44.9.202||192.185.5.189||162.241.248.14|
|179.43.151.196||45.82.250.186||162.19.3.23|
|144.217.92.197||23.29.115.171||167.114.188.40|
|91.234.199.179|
By mapping out this infrastructure, it is possible to show the links between the diverse set of IP addresses and pick up various patterns.
Triggering alerts on
192.185.5[.]189 alone is ill advised, as it’s a shared …
Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state sponsored APT. The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.
Infrastructure Analysis
Based on the IOCs shared by JumpCloud, we were able to analyze the threat actor’s infrastructure. The following list is our starting point:
Domains
|alwaysckain.com||canolagroove.com||centos-pkg.org|
|centos-repos.org||datadog-cloud.com||datadog-graph.com|
|launchruse.com||nomadpkg.com||nomadpkgs.com|
|primerosauxiliosperu.com||reggedrobin.com||toyourownbeat.com|
|zscaler-api.org|
IP Addresses
|51.254.24.19||185.152.67.39||70.39.103.3|
|66.187.75.186||104.223.86.8||100.21.104.112|
|23.95.182.5||78.141.223.50||116.202.251.38|
|89.44.9.202||192.185.5.189||162.241.248.14|
|179.43.151.196||45.82.250.186||162.19.3.23|
|144.217.92.197||23.29.115.171||167.114.188.40|
|91.234.199.179|
By mapping out this infrastructure, it is possible to show the links between the diverse set of IP addresses and pick up various patterns.
Triggering alerts on
192.185.5[.]189 alone is ill advised, as it’s a shared …
IoC
100.21.104.112
104.223.86.8
116.202.251.38
142.44.178.222
144.217.92.197
162.19.3.23
162.241.248.14
167.114.188.40
179.43.151.196
185.152.67.39
192.185.5.189
216.189.145.247
23.29.115.171
23.95.182.5
45.82.250.186
51.254.24.19
66.187.75.186
70.39.103.3
78.141.223.50
89.44.9.202
91.234.199.179
http://142.44.178.222
http://144.217.92.197
http://167.114.188.40
http://192.185.5.189
http://216.189.145.247
http://23.29.115.171
http://bi2price.com
http://celasllc.com
http://dadiwarm.com
http://insatageram.com
http://junknomad.com
http://nodepkg.com
http://npm-pool.org
http://npmaudit.com
http://npmcloudjs.com
http://npmjscloud.com
http://npmjsregister.com
http://protonmail.com
http://skylerhaupt.com
http://toyourownbeat.com
http://tradingprice.net
[email protected]
104.223.86.8
116.202.251.38
142.44.178.222
144.217.92.197
162.19.3.23
162.241.248.14
167.114.188.40
179.43.151.196
185.152.67.39
192.185.5.189
216.189.145.247
23.29.115.171
23.95.182.5
45.82.250.186
51.254.24.19
66.187.75.186
70.39.103.3
78.141.223.50
89.44.9.202
91.234.199.179
http://142.44.178.222
http://144.217.92.197
http://167.114.188.40
http://192.185.5.189
http://216.189.145.247
http://23.29.115.171
http://bi2price.com
http://celasllc.com
http://dadiwarm.com
http://insatageram.com
http://junknomad.com
http://nodepkg.com
http://npm-pool.org
http://npmaudit.com
http://npmcloudjs.com
http://npmjscloud.com
http://npmjsregister.com
http://protonmail.com
http://skylerhaupt.com
http://toyourownbeat.com
http://tradingprice.net
[email protected]