North Korean hackers breached Russian missile development firm

North Korean state-sponsored hackers have breached Russian missile maker NPO Mashinostroyeniya, according to SentinelLabs researchers.

North Korean hackers Russia

North Korean hackers discovered

The researchers came across leaked email communication between NPO Mashinostroyeniya’s IT staff that contained information about a possible cyber intrusion first detected in May 2022.

According to the emails, the breached company’s IT staff discovered a suspicious DLL file within company systems, which SentinelLabs researchers identified as a version of the OpenCarrot Windows OS backdoor previously linked to the Lazarus hacking group.

“OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network,” the researchers noted.

“The OpenCarrot variant we analyzed supports proxying C2 communication through the internal network hosts and directly to the external server, which supports the strong possibility of a network-wide compromise.”

The researchers also discovered that the unusual network traffic discussed in the emails was due to the compromise of the company’s Linux email server.

Researchers have not yet determined the initial access method, but linked “malware loading tools and techniques involving this set of infrastructure to those seen in previously reported ScarCruft activity using the RokRAT backdoor,” they noted.

“ScarCruft is commonly attributed to North Korea’s state-sponsored activity, targeting high value individuals and organizations near-globally. The group is also referred to as Inky Squid, APT37, or Group123, and often showcases a variety of technical capabilities for their intrusions.”

Technical data suggests that the intrusion started in December 2021 and lasted until May 2022, when it was discovered.

Cyber espionage

North Korean hacking groups are generally known for financially-focused attacks aimed at supporting the nation’s economic, politic and military ambitions, but cyber espionage is also a means to attain these objectives.

“At this time, we cannot determine the potential nature of the relationship between the two threat actors. We acknowledge a potential sharing relationship between the two DPRK-affiliated threat actors as well as the possibility that tasking deemed this target important enough to assign to multiple independent threat actors,” researchers noted.

“NPO Mashinostroyeniya is a sanctioned entity that possesses highly confidential intellectual property on sensitive missile technology currently in use and under development for the Russian military.”

Don't miss