A week after issuing a mandatory API key rotation in response to an unspecified incident, cloud provider JumpCloud disclosed that its network was breached by a nation-state threat actor.
In a blog post last week, JumpCloud CISO Robert Phan said the company initially detected "anomalous activity on an internal orchestration system" on June 27. An investigation traced the activity back to a "sophisticated" spear phishing campaign on June 22 and revealed that the threat actor gained access to a specific but unnamed area of JumpCloud's infrastructure. Phan said that at that time, the company did not see any evidence of customer impact.
"Out of an abundance of caution, we rotated credentials, rebuilt infrastructure, and took a number of other actions to further secure our network and perimeter. Additionally, we activated our prepared incident response plan and worked with our incident response (IR) partner to analyze all systems and logs for potential activity," Phan said in the blog post. JumpCloud also contacted and engaged law enforcement as part of its IR plan.
Phan said that on July 5, the investigation discovered "unusual activity in the commands framework for a small set of customers." As a result, JumpCloud invalidated all API keys for customer administrators and immediately notified customers of the mandatory rotation.
"Continued analysis uncovered the attack vector: data injection into our commands framework. The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers," Phan said.
The blog post did not specify what kind of customers were targeted or how those customers were directly affected by the threat group. While Phan said the breach was the work of "a sophisticated nation-state sponsored threat actor," JumpCloud did not attribute the attack to a specific country.
UPDATE 7/20: In a blog post, SentinelOne attributed the JumpCloud breach to a North Korean state-sponsored threat group. The threat detection vendor found that infrastructure used in the JumpCloud breach was connected to previous activity from the North Korean group.
It's unclear why JumpCloud's July 5 advisory did not specify that a network breach had been confirmed and instead only referenced an "ongoing incident" with no information about the spear phishing campaign.
TechTarget Editorial contacted JumpCloud, but the company declined to comment further. A company spokesperson instead provided the following statement:
JumpCloud recently experienced a cybersecurity incident that impacted a small and specific set of our customers. Upon detecting the incident, we immediately took action based on our incident response plan to mitigate the threat, secure our network and perimeter, communicate with our customers, and engage law enforcement.
As always, our entire JumpCloud team remains vigilant about new and emerging threats, and we are confident in our robust security controls and people. We continue to work with our customers and are committed to sharing information about this incident with government agencies and industry professionals. We appreciate our ongoing partnerships with all our customers.
Rob Wright is a longtime technology reporter who lives in the Boston area.