Pierluigi Paganini
August 07, 2023
Cybersecurity firm SentinelOne linked the compromise of the major Russian missile engineering firm NPO Mashinostroyeniya to two different North Korea-linked APT groups. NPO Mashinostroyeniya (JSC MIC Mashinostroyenia, NPO Mash) is a leading Russian manufacturer of missiles and military spacecraft.
The Russian firm was sanctioned by the U.S. Treasury Department in July 2014 due to its support to the Russian government in attempting of destabilizing eastern Ukraine and its ongoing occupation of Crimea.
The researchers identified two instances of North Korea-related compromise, threat actors breached sensitive internal IT infrastructure, including a specific email server. The attackers were also observed using the Windows backdoor dubbed OpenCarrot.
SentinelOne attributes the hack of the mail server to the ScarCruft APT group, while it linked the OpenCarrot backdoor to the Lazarus group. However, it is not clear if the two groups hacked the Russian firm as part of a joint cyberespionage campaign.
The cyberspies targeted NPO Mashinostroyeniya in an attempt to steal highly confidential intellectual property on sensitive missile technology currently in use and under development for the Russian military.
The researchers discovered the hack while conducting ordinary monitoring of suspected-North Korean APTs’ activities. They identified a leaked email collection containing an implant linked with North Korean groups and information stolen from the Russian organization.
According to the leaked emails, the intrusion was spotted by the Russian firm in May 2022.
“In mid-May 2022, roughly a week prior to Russia vetoing a U.N. resolution to impose new sanctions on North Korea for intercontinental ballistic missile launches that could deliver nuclear weapons, the victim organization internally flagged the intrusion. Internal NPO Mashinostroyeniya emails show IT staff exchanged discussions highlighting questionable communications between specific processes and unknown external infrastructure.” reads the analysis published by SentinelOne. “The same day, the NPO Mashinostroyeniya staff also identified a suspicious DLL file present in different internal systems.”
OpenCarrot is a Windows backdoor that was first detected by IBM XForce, it supports a wide range of functionalities.
The variant analyzed by SentinelOne supports proxying C2 communication through the internal network hosts and directly to the external server, a circumstance that suggests it was employed in attacks that could result in network-wide compromise.
The initial attack vector is still unknown, but researchers speculate the victim was targeted with spear-phishing messages aimed at delivering the RokRAT backdoor.
“With a high level of confidence, we attribute this intrusion to threat actors independently associated with North Korea. Based on our assessment, this incident stands as a compelling illustration of North Korea’s proactive measures to covertly advance their missile development objectives, as evidenced by their direct compromise of a Russian Defense-Industrial Base (DIB) organization.” concludes the report. “The convergence of North Korean cyber threat actors represents a profoundly consequential menace warranting comprehensive global monitoring.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NPO Mashinostroyeniya)
