Based on a recent report published by Sentinel Labs, it seems North Korean state-sponsored hackers are fine with targeting critical infrastructure within an ally's borders.
The report shows that the North Korean government is prepared to target allies supporting its contentious missile program, including a Russian missile manufacturer.
The attack was detected when Sentinel Labs security researchers conducted routine hunting and tracking suspected-North Korean threat actors.
Researchers discovered a leaked email collection containing an implant. The implant showed many hallmarks associated with known North Korean state-sponsored groups.
This implant, in turn, led researchers to discover a far more extensive intrusion into the victim's, NPO Mashinostroyeniya, infrastructure.
Researchers describe the victim as,
...a leading Russian manufacturer of missiles and military spacecraft. The organization's parent company is JSC Tactical Missiles Corporation KTRV (Russian: АО «Корпорация Тактическое Ракетное Вооружение», КТРВ). NPO Mashinostroyeniya is a sanctioned entity that possesses highly confidential intellectual property on sensitive missile technology currently in use and under development for the Russian military.
The timing of the attack is also interesting as it appears that a week before Russia vetoed a U.N. resolution that would impose new sanctions on North Korea for intercontinental ballistic missile launches that have been determined capable of delivering nuclear weapons, the victim flagged possible intrusion by a potential malicious actor.
Leaked emails belonging to the victim show IT staff exchanged discussions, highlighting suggesting communications between internal processes and an external third party had occurred.
The staff of the sanctioned missile manufacturer also discovered a suspicious DLL file. A month later, NPO Mashinostroyeniya contacted their antivirus software support staff to determine why this suspicious activity was not detected.
Following Sentinel One's investigation, the suspicious DLL file was determined to be a version of the OpenCarrot backdoor, which has previously been linked to Lazarus Group, North Korea's infamous state-sponsored group known for carrying both cyber espionage campaigns and more financially motivated attacks, robbing banks or stealing cryptocurrency.
OpenCarrot has been described by researchers as,
...a feature-rich, configurable, and versatile backdoor, the malware is a strong enabler of the group's operations. With a wide range of supported functionality, OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network. The OpenCarrot variant we analyzed supports proxying C2 communication through the internal network hosts and directly to the external server, which supports the strong possibility of a network-wide compromise.
Links to ScarCruft
While the links to Lazarus are certainly notable, it was the infrastructure used by the attackers that would help researchers attribute the attack.
Emails discovered by researchers that included the above-mentioned suspicious network traffic belonged to a business' Linux email server, hosted publicly at vpk.npomash[.]ru (185.24.244[.]11).
This email server has been linked to ScarCruft, an infamous North Korean stat-sponsored threat actor known for targeting high-value individuals and organizations that would further the hermit kingdom's geopolitical objectives.
Providing further evidence of ScarCruft involvement, essentially tracking and comparing infrastructure to recent ScarCruft campaigns.
While it might be possible that Lazarus and ScarCruft are operating together, no smoking gun currently proves such an association. However, using both Lazarus and ScarCruft tools suggests some form of cooperation.
The use of OpenCarrot has been strongly linked to Lazarus in the past. In the sample discovered by security researchers, it was noted that backdoor commands are indexed by consecutive integers, a common trait of Lazarus' malware.
Researchers did note several other interesting features of the sample of OpenCarrot discovered in the missile manufacturer's IT infrastructure. The malware has 25 commands that can be used to carry out various operations suited to cyber espionage.
Three of these stand out and include commands that facilitate:
- Reconnaissance: File and process attribute enumeration, scanning, and ICMP-pinging hosts in IP ranges for open TCP ports and availability.
- Filesystem and process manipulation: Process termination, DLL injection, file deletion, renaming, and timestamping.
- Reconfiguration and connectivity: Managing C2 communications, including terminating existing and establishing new comms channels, changing malware configuration data stored on the filesystem, and proxying network connections.
Sentinel Labs concluded that the attack shows how far North Korea will go to further its missile and weapons programs and that they'll even target an ally's critical infrastructure to further those aims.
It was further concluded that,
The convergence of North Korean cyber threat actors represents a profoundly consequential menace warranting comprehensive global monitoring. Operating in unison as a cohesive cluster, these actors consistently undertake a diverse range of campaigns motivated by various factors. In light of these findings, it becomes crucial to address and mitigate this threat with utmost vigilance and strategic response.