North Korean Cyber-Espionage Campaign Targets Russian Missile Manufacturer
Sanctioned Russian Missile Factor a North Korean Hack Target
Overt Operator
August 09, 2023
Security researchers at SentinelLabs have unearthed a likely cyber-espionage campaign by North Korean hackers targeting NPO Mashinostroyeniya, a Russian manufacturer of intercontinental ballistic missiles and aerospace equipment. This discovery underscores the increasing global concern over state-sponsored cyber warfare.
NPO Mashinostroyeniya, which has been sanctioned by the U.S. for its involvement in Russia's invasion of Ukraine, became the subject of an investigation after internal emails leaked.
The emails revealed questionable communications between specific processes and unknown external infrastructure, according to SentinelLabs.
On the same day, the staff at the Russian company identified a suspicious DLL file present across various internal systems. The lack of detection by their antivirus solution led them to engage with support staff to determine the cause. In the month following the intrusion, they worked to understand why this activity went unnoticed.
SentinelLabs remains uncertain about the initial access vector, but the research points to North Korean actors compromising an email server at NPO Mashinostroyeniya. The hackers then reportedly deployed a Windows backdoor named "OpenCarrot" into the network.
The attack was attributed to ScarCruft (APT37), a known North Korean group, although the OpenCarrot backdoor is more commonly linked to another Pyongyang-affiliated group called Lazarus.
According to the report, the backdoor offers a broad array of functionalities, allowing for reconnaissance, file system manipulation, process manipulation, and reconfiguration or connectivity. OpenCarrot's versatility makes it a potent tool for attackers, enabling complete compromise of infected systems and the potential for network-wide breaches.
The OpenCarrot variant analyzed by SentinelLabs also supports proxying command and control (C2) communication through internal network hosts directly to an external server. This further strengthens the likelihood of a widespread network compromise.
North Korea's interests in this attack are far from random. Under the regime of Kim Jong-un, North Korea has been focused on advancing its nuclear and missile program. The hermit kingdom has allegedly used billions stolen from crypto firms and banks to fund these efforts. It seems logical that cyber-espionage would be another avenue pursued to acquire vital intellectual property to further their ambitions.