Russian Missile Manufacturer Breached By North Korean Hackers

Based on a recent report published by Sentinel Labs, it seems North Korean state-sponsored hackers are fine with targeting critical infrastructure within an ally's borders.

The report shows that the North Korean government is prepared to target allies supporting its contentious missile program, including a Russian missile manufacturer.

Russian Missile Manufacturer Breached By North Korean Hackers

The attack was detected when Sentinel Labs security researchers conducted routine hunting and tracking suspected-North Korean threat actors.

Researchers discovered a leaked email collection containing an implant. The implant showed many hallmarks associated with known North Korean state-sponsored groups.

This implant, in turn, led researchers to discover a far more extensive intrusion into the victim's, NPO Mashinostroyeniya, infrastructure.

Researchers describe the victim as,

...a leading Russian manufacturer of missiles and military spacecraft. The organization's parent company is JSC Tactical Missiles Corporation KTRV (Russian: АО «Корпорация Тактическое Ракетное Вооружение», КТРВ). NPO Mashinostroyeniya is a sanctioned entity that possesses highly confidential intellectual property on sensitive missile technology currently in use and under development for the Russian military.

The timing of the attack is also interesting as it appears that a week before Russia vetoed a U.N. resolution that would impose new sanctions on North Korea for intercontinental ballistic missile launches that have been determined capable of delivering nuclear weapons, the victim flagged possible intrusion by a potential malicious actor.

Leaked emails belonging to the victim show IT staff exchanged discussions, highlighting suggesting communications between internal processes and an external third party had occurred.

The staff of the sanctioned missile manufacturer also discovered a suspicious DLL file. A month later, NPO Mashinostroyeniya contacted their antivirus software support staff to determine why this suspicious activity was not detected.

Following Sentinel One's investigation, the suspicious DLL file was determined to be a version of the OpenCarrot backdoor, which has previously been linked to Lazarus Group, North Korea's infamous state-sponsored group known for carrying both cyber espionage campaigns and more financially motivated attacks, robbing banks or stealing cryptocurrency.

OpenCarrot has been described by researchers as,

...a feature-rich, configurable, and versatile backdoor, the malware is a strong enabler of the group's operations. With a wide range of supported functionality, OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network. The OpenCarrot variant we analyzed supports proxying C2 communication through the internal network hosts and directly to the external server, which supports the strong possibility of a network-wide compromise.

Links to ScarCruft

While the links to Lazarus are certainly notable, it was the infrastructure used by the attackers that would help researchers attribute the attack.

Emails discovered by researchers that included the above-mentioned suspicious network traffic belonged to a business' Linux email server, hosted publicly at vpk.npomash[.]ru (185.24.244[.]11).

This email server has been linked to ScarCruft, an infamous North Korean stat-sponsored threat actor known for targeting high-value individuals and organizations that would further the hermit kingdom's geopolitical objectives.

Providing further evidence of ScarCruft involvement, essentially tracking and comparing infrastructure to recent ScarCruft campaigns.

While it might be possible that Lazarus and ScarCruft are operating together, no smoking gun currently proves such an association. However, using both Lazarus and ScarCruft tools suggests some form of cooperation.

The use of OpenCarrot has been strongly linked to Lazarus in the past. In the sample discovered by security researchers, it was noted that backdoor commands are indexed by consecutive integers, a common trait of Lazarus' malware.

Researchers did note several other interesting features of the sample of OpenCarrot discovered in the missile manufacturer's IT infrastructure. The malware has 25 commands that can be used to carry out various operations suited to cyber espionage.

Three of these stand out and include commands that facilitate:

  • Reconnaissance: File and process attribute enumeration, scanning, and ICMP-pinging hosts in IP ranges for open TCP ports and availability.
  • Filesystem and process manipulation: Process termination, DLL injection, file deletion, renaming, and timestamping.
  • Reconfiguration and connectivity: Managing C2 communications, including terminating existing and establishing new comms channels, changing malware configuration data stored on the filesystem, and proxying network connections.

Sentinel Labs concluded that the attack shows how far North Korea will go to further its missile and weapons programs and that they'll even target an ally's critical infrastructure to further those aims.

It was further concluded that,

The convergence of North Korean cyber threat actors represents a profoundly consequential menace warranting comprehensive global monitoring. Operating in unison as a cohesive cluster, these actors consistently undertake a diverse range of campaigns motivated by various factors. In light of these findings, it becomes crucial to address and mitigate this threat with utmost vigilance and strategic response.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal