While conducting its usual hunting and tracking of suspected-North Korean threat actors, SentinelLabs has identified a leaked email collection containing an implant with characteristics related to previously reported DPRK-affiliated threat actor campaigns. A thorough investigation of the email archive revealed a larger intrusion, not fully recognised at the time by the compromised organisation.
The victim organisation is NPO Mashinostroyeniya (JSC MIC Mashinostroyenia, NPO Mash), a leading Russian manufacturer of missiles and military spacecraft. NPO Mashinostroyeniya is a sanctioned entity that possesses highly confidential intellectual property on sensitive missile technology currently in use and under development for the Russian military.
In mid-May 2022, roughly a week prior to Russia vetoing a U.N. resolution to impose new sanctions on North Korea for intercontinental ballistic missile launches that could deliver nuclear weapons, the victim organisation internally flagged the intrusion. Internal NPO Mashinostroyeniya emails show IT staff exchanged discussions highlighting questionable communications between specific processes and unknown external infrastructure. The same day, the NPO Mashinostroyeniya staff also identified a suspicious DLL file present in different internal systems. The month following the intrusion, NPO Mashinostroyeniya engaged with their AV solution’s support staff to determine why this and other activity was not detected.
Following an examination of the emails and an in-depth investigation into the two separate sets of suspicious activity, SentinelLabs has successfully established a correlation between each cluster of activity and a respective threat actor amounting to a more significant network intrusion than the victim organisation realised.
Key points:
- SentinelLabs has identified an intrusion into the Russian defence industrial base, specifically, missile engineering organisation NPO Mashinostroyeniya.
- Two instances of North Korea-related compromise of sensitive internal IT infrastructure within this same Russian Defence-Industrial Base (DIB), including a specific email server, alongside the use of a Windows backdoor dubbed OpenCarrot, have been identified.
- SentinelLabs’ analysis attributes the email server compromise to the ScarCruft threat actor. The team at SentinelLabs also identifies the separate use of a Lazarus Group backdoor for compromise of NPO Mashinostroyeniya’s internal network.
- At this time, SentinelLabs cannot determine the potential nature of the relationship between the two threat actors and acknowledges a potential sharing relationship between the two DPRK-affiliated threat actors as well as the possibility that tasking deemed this target important enough to assign to multiple independent threat actors.
With a high level of confidence, SentinelLabs attributes this intrusion to threat actors independently associated with North Korea. Based on their assessment, this incident stands as a compelling illustration of North Korea’s proactive measures to covertly advance their missile development objectives, as evidenced by their direct compromise of a Russian DIB organisation.
The convergence of North Korean cyber threat actors represents a profoundly consequential menace warranting comprehensive global monitoring. Operating in unison as a cohesive cluster, these actors consistently undertake a diverse range of campaigns motivated by various factors. In light of these findings, it becomes crucial to address and mitigate this threat with utmost vigilance and strategic response.
