However, according to Mandiant, there have been many occasions on which DPRK threat actors did not employ this last hop or mistakenly did not utilize this while conducting action on operations on the victim’s network.
The VPNs used by RGB actors occasionally fail, which revealed the IP addresses of the threat actor’s true origins.
“Mandiant observed the DPRK threat actor UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]0/24 subnet. (Ryugyong Dong, Pyongyang). Additionally, we observed the DPRK threat actor log directly into a Pyongyang IP, from one of their jump boxes,” Mandiant said. This confirmed the location of the attacker behind the hack.
In an incident report last week, JumpCloud said fewer than five of its corporate customers and less than 10 devices were targeted. The company reset its customer API keys after reporting an intrusion in June.
“On June 27 at 15:13 UTC we discovered anomalous activity on an internal orchestration system which we traced back to a sophisticated spear phishing campaign perpetrated by the threat actor on June 22,” the software company said.
Analysis by the company showed that the attack vector had injected malicious data into the company’s commands framework and confirmed suspicions that the attack was extremely targeted and limited to specific customers. The attack vector used by the threat actor has since been mitigated.