Editor’s note: This article has been updated to include a statement from a JumpCloud spokesperson about the company’s response.
A spear-phishing attack allowed an unnamed nation-state sponsored threat actor to intrude JumpCloud’s systems and target specific customers last month, the company said Wednesday in a security incident update.
The identity and access management provider asserts the threat has been eliminated and the attack vector used by the threat actor to “target a small and specific set” of customers has been mitigated.
JumpCloud did not say if customer access credentials were stolen or how many customers were impacted.
“Upon detecting the incident, we immediately took action based on our incident response plan to mitigate the threat, secure our network and perimeter, communicate with our customers, and engage law enforcement,” a JumpCloud spokesperson said via email.
“As always, our entire JumpCloud team remains vigilant about new and emerging threats, and we are confident in our robust security controls and people,” the spokesperson said.
JumpCloud first observed evidence of customer impact on July 5, when the company invalidated and reset the API keys for all administrators after its investigation uncovered more malicious activity in some customers’ commands framework, Phan said.
The abrupt reset of API keys, which act as identifiers to authenticate application and user access to IT services, required customers to update all third-party integrations with newly established keys.
JumpCloud provides multidirectory management, identity and access management, multifactor authentication, single sign-on and integration with various third-party services. The Louisville, Colorado-based company said its cloud directory platform is used by more than 180,000 organizations across at least 160 countries.
JumpCloud said it first discovered anomalous activity on an internal orchestration system on June 27, which it linked to a spear-phishing attack on June 22. Despite no evidence of customer impact at the time, JumpCloud said it rotated credentials, rebuilt infrastructure and took additional steps to bolster the security of its network and perimeter.
The company said it engaged with its incident-response firm and contacted law enforcement at that time.
The gap between the intrusion and confirmed customer impact suggests the threat actor had access to JumpCloud’s systems for almost two weeks.
“These are sophisticated and persistent adversaries with advanced capabilities,” JumpCloud CISO Bob Phan said in the incident report.
“Continued analysis uncovered the attack vector: data injection into our commands framework. The analysis also confirmed that the attack was extremely targeted and limited to specific customers,” Phan said.
JumpCloud also shared known indicators of compromise to help customers hunt for malicious activity.