Updated on September 20, 2023
With our investigation concluded, we want to share some additional information around what happened, what we’ve learned, and what our plans are to continuously improve our security posture for the future. We want to share our Incident Report which contains those details, which you can find here.
Bob Phan
CISO
On July 12 in our original blog post on our recent security incident, we said we would update you periodically on new developments. We are now able to share additional details.
First, we can confirm that CrowdStrike is our incident response partner. We can also report that we identified and CrowdStrike confirmed the nation-state actor involved was North Korea. Importantly, fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations who rely on the JumpCloud platform for a variety of identity, access, security, and management functions. All impacted customers have been notified directly.
We continue our ongoing investigation with US federal law enforcement and CrowdStrike. We remain in contact with our impacted customers.
JumpCloud is committed to the highest security standards in the industry, rapid response and mitigation for the safety of our customers, and open communication for the benefit of the industry.
Bob Phan
CISO
Thank you for your patience and quick action as we worked through our response plans and investigation for a security incident we first alerted you about last week. We remain committed to providing transparent and timely information around this event for our customers, partners, and the industry at large. The security threats that we face, as an industry, are unprecedented and require strong collaboration from all constituents.
As a result, today we are publishing details of activity by a sophisticated nation-state sponsored threat actor that gained unauthorized access to our systems to target a small and specific set of our customers. Prior to sharing this information, we notified and worked with the impacted customers. We have also been working with our incident response (IR) partners and law enforcement on both our investigation and steps designed to make our systems and our customers’ operations even more secure. The attack vector used by the threat actor has been mitigated.
Now that our customers are informed and we have taken the appropriate steps to eliminate this threat, we are able to share additional details of the incident in an effort to be transparent and help others take appropriate steps to monitor for and protect against this threat.
On June 27 at 15:13 UTC we discovered anomalous activity on an internal orchestration system which we traced back to a sophisticated spear-phishing campaign perpetrated by the threat actor on June 22. That activity included unauthorized access to a specific area of our infrastructure. We did not see evidence of customer impact at that time. Out of an abundance of caution, we rotated credentials, rebuilt infrastructure, and took a number of other actions to further secure our network and perimeter. Additionally, we activated our prepared incident response plan and worked with our Incident Response (IR) partner to analyze all systems and logs for potential activity. It was also at this time, as part of our IR plan, that we contacted and engaged law enforcement in our investigation.
JumpCloud Security Operations, in collaboration with our IR partners and law enforcement, continued the forensic investigation. On July 5 at 03:35 UTC, we discovered unusual activity in the commands framework for a small set of customers. At this point in time, we had evidence of customer impact and began working closely with the impacted customers to help them with additional security measures. We also decided to perform a force-rotation of all admin API keys beginning on July 5 at 23:11 UTC. We immediately notified customers of this action.
Continued analysis uncovered the attack vector: data injection into our commands framework. The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers. What we learned allowed us to create and now share a list of IOCs (Indicators of Compromise) that we have observed for this campaign.
These are sophisticated and persistent adversaries with advanced capabilities. Our strongest line of defense is through information sharing and collaboration. That’s why it was important to us to share the details of this incident and help our partners to secure their own environments against this threat. We will continue to enhance our own security measures to protect our customers from future threats and will work closely with our government and industry partners to share information related to this threat.
If you are a customer with additional questions on this incident, please submit a support ticket in your admin console or reach out to your account manager.