Between late 2021 and May 2022 [6], two elite North Korean hacker groups, ScarCruft and Lazarus [3] [4], targeted NPO Mashinostroyeniya [1] [2] [3] [4] [5] [6] [7], a Russian missile engineering company [1] [5] [7]. This cyberattack aimed to access intellectual property related to intercontinental ballistic missiles and aerospace equipment.
Description
NPO Mashinostroyeniya is heavily involved in the development of hypersonic missiles [3] [6], satellite technologies [3] [4], and ballistic armaments [3] [4]. These areas of expertise are of great interest to North Korea as it seeks to create an Intercontinental Ballistic Missile (ICBM) capable of reaching the United States [3]. The hackers successfully infiltrated the company’s IT network, gaining access to email traffic, navigating between networks, and extracting valuable data. They compromised a Linux email server and deployed a Windows backdoor known as OpenCarrot [1] [5] [7], which granted them full control over infected machines and enabled coordination of multiple infections across the network [1] [5] [7]. While the attack is primarily attributed to the ScarCruft group, also known as APT37, the use of the OpenCarrot backdoor is commonly associated with Lazarus. The exact method of breach and delivery of OpenCarrot remains unknown [1] [5], although ScarCruft is known to employ social engineering techniques [1] [5] [7]. Security researchers [2] [3], including SentinelOne [3], have confidently attributed the attack to North Korea based on the reuse of known malware and infrastructure from previous intrusions. This incident demonstrates North Korea’s proactive measures to advance its missile development objectives by compromising a Russian Defense-Industrial Base organization [1] [5] [7].
Conclusion
The Kim Jong-un regime’s pursuit of a nuclear and missile program [2], funded through stolen funds [2], provides a clear motive for engaging in cyber-espionage activities. The convergence of North Korean cyber threat actors poses a significant global security concern [6], particularly in relation to supporting North Korea’s missile program [6]. Addressing and mitigating this threat requires comprehensive monitoring and a strategic response [6].
References
[1] https://thehackernews.com/2023/08/north-korean-hackers-targets-russian.html
[2] https://www.infosecurity-magazine.com/news/north-korean-hackers-russian/
[3] https://news.yahoo.com/exclusive-north-korean-hackers-breached-095442773.html
[4] https://www.newsmax.com/newsfront/north-korea-hackers-russia/2023/08/07/id/1129840/
[5] https://www.redpacketsecurity.com/north-korean-hackers-targets-russian-missile-engineering-firm/
[6] https://www.laprensalatina.com/north-korean-hackers-breach-russian-missile-maker-says-us-research-firm/
[7] https://vulners.com/thn/THN:C87FA06206FBABF482D5F0DAF8FA2535
