JumpCloud reveals nation-state hackers breached internal systems, following customer speculation

JumpCloud: A CGI render of a glowing blue cloud, made of interconnected data points, hovering above a faint blue grid and surrounded by small padlocks. It is set against a black background.
(Image credit: Getty Images)

Identity and access management firm JumpCloud has revealed its recent ‘security incident’ was an attack by a state-sponsored threat actor, which first accessed internal systems almost two weeks before customers were notified.

Affected customers are also believed to have been specifically targeted by the threat actor which JumpCloud said was “sophisticated… with advanced capabilities”.

The customers that were targeted during the attack have been receiving additional support from JumpCloud to shore up their cyber defenses.

JumpCloud stated that it has mitigated the vector used by the attacker, not revealing any further details related to it, and committed to sharing information related to the incident with industry partners and the US government.

It also released indicators of compromise (IoCs) for the attack, comprising malicious IPs and hashes, and urged firms to use the data for Endpoint Detection and Response (EDR).

“Our strongest line of defense is through information sharing and collaboration. That’s why it was important to us to share the details of this incident and help our partners to secure their own environments against this threat,” said Bob Phan, CISO at JumpCloud. 

“We will continue to enhance our own security measures to protect our customers from future threats and will work closely with our government and industry partners to share information related to this threat.”

JumpCloud’s security incident: What happened?

On 5 July it was found that an attacker had accessed the commands framework for some JumpCloud customers via data injection.

RELATED RESOURCE

Whitepaper cover with two colleagues at workstations with one wearing headphones and reading, and digital IT icons behind them

(Image credit: Zscaler)

Busting nine myths about file-based threats

Deciphering the assumptions and myths about file-based threats.

DOWNLOAD FOR FREE

The discovery was made at 03:35 UTC, and at 23:11 UTC JumpCloud rotated all admin API keys. It notified customers that it had invalidated their API keys “out of an abundance of caution relating to an ongoing incident” without providing any further details.

The firm first discovered suspicious activity on an internal system on 27 June, which it linked spear phishing attack on 22 June, but JumpCloud stated that it saw no evidence of customer impact at that stage.

The company responded by rotating credentials, bringing in its incident response partner, contacting law enforcement, and securing infrastructure. It was through the resulting forensic investigation that the activity linked to customers was subsequently found.

"JumpCloud recently experienced a cyber security incident that impacted a small and specific set of our customers,” said a JumpCloud spokesperson at the time.

“Upon detecting the incident, we immediately took action based on our incident response plan to mitigate the threat, secure our network and perimeter, communicate with our customers, and engage law enforcement. 

“As always, our entire JumpCloud team remains vigilant about new and emerging threats, and we are confident in our robust security controls and people. We continue to work with our customers and are committed to sharing information about this incident with government agencies and industry professionals. We appreciate our ongoing partnerships with all our customers."

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.