Two North Korean hacker groups had access to the internal systems of Russian missile and satellite developer NPO Mashinostoyeniya for five to six months, cyber security firm SentinelOne asserted on Monday. The attack illustrates potential North Korean efforts to advance development of missile and other military tech via cyber espionage.
“Our findings identify two instances of North Korea-related compromise of sensitive internal IT infrastructure within this same Russian defense industrial base (DIB) organization, including a specific email server, alongside use of a Windows backdoor dubbed OpenCarrot,” said the cyber security researchers.
State-backed hacker group ScarCruft was identified as the force behind the email server compromise, while the Windows backdoor was attributed to Lazarus Group. OpenCarrot has previously been detected during Lazarus Group activities. It enables full compromise of infected machines and coordination across an infected network.
The variant used in this incident “supports proxying C2 communication through the internal network hosts and directly to the external server,” according to SentinelOne’s researchers.
As for the email server compromise, it made outbound communications to infrastructure Sentinelone attributed to the ScarCruft threat actor.
The OpenCarrot files hold a compilation timestamp of December 1, 2021, which the researchers call “likely authentic” – meaning the threat actors were in the system for a period of months. Furthermore, malicious infrastructure communicating with NPO Mash’s RedHat email server was in place since November 2021.
The rocket maker detected the intrusion in May 2022, when staffers noted unusual communications between specific processes and unknown external infrastructure. That led them to identify an unknown DLL file in their systems.
Upon detection, the infrastructure communicating with the email server immediately stopped – indicating it was likely closely monitored.
The researchers themselves found evidence of the intrusions in a leaked email collection during “usual hunting and tracking.” Further investigation of the archive revealed a larger intrusion, said SentinelOne – one that was not fully recognized at the time by NPO Mashinostoyeniya.
During those months between intrusion and detection, the hackers could read email, move between networks, and extract data.
“We acknowledge a potential sharing relationship between the two DPRK-affiliated threat actors as well as the possibility that tasking deemed this target important enough to assign to multiple independent threat actors,” said SentinelOne.
NPO Mashinostoyeniya has been around since the 1940s, when it was established to develop rockets for the Soviet military. In the 1960s, it began also designing missiles. In 2014, the firm was one of many sanctioned by the Obama administration after Russia invaded Crimea.
It designs and builds hypersonic cruise missile known as Zircon which, according to Russian state media, can reach Mach 8.
It also has has IP for ampulization of rocket fuel – a technique whereby missiles are fuelled and sealed in the factory to allow faster deployment. In 2021, North Korea claimed it uses the technique in its Hwasong-8 hypersonic missile.
Relations between Russia and the DPRK have generally been seen as cooperative. Last June, Kim Jong-Un pledged his regime’s “full support” during a message than marked Russia’s national day.
But according to SentinelOne, this cyber espionage campaign “highlights a potential rift in relations between Russia and North Korea, considering their growing relationship.” ®