The leaked emails in question date back to mid-May 2022, a week after Russia vetoed a resolution to impose new sanctions on North Korea for intercontinental ballistic missile launches.
Internal NPO Mashinostroyeniya emails show IT staff exchanged discussions highlighting questionable communications between specific processes and unknown external infrastructure, according to SentinelLabs.
“The same day, the NPO Mashinostroyeniya staff also identified a suspicious DLL file present in different internal systems,” SentinelOne added.
The discovered emails were likely leaked accidentally or resulted from activities unrelated to the NPO Mash intrusion as the leaked data comprises a substantial volume of emails unrelated to the research scope, SentinelOne said.
Compromise of Linux-based email server
After examining the emails and investigating the two separate sets of suspicious activities, questionable communications, and the DLL implant, SentinelOne was able to establish a correlation between them and a respective threat actor.
The cybersecurity firm discovered that the suspicious network traffic discussed in emails is the compromise of the business’ Linux email server, hosted publicly at (
185.24.244[.]11). “At the time of discovery, the email server was beaconing outbound to the infrastructure we now attribute to the ScarCruft threat actor,” SentinelOne said.