A Russian defense industrial base organization specializing in missiles and military spacecraft appears to have been targeted by two important North Korean hacking groups.
On the surface it seems that North Korea is one of Russia’s strongest allies since the start of the Ukraine war, with Pyongyang recently showing off its missiles to Russian officials.
However, research conducted by cybersecurity firm SentinelOne appears to show that North Korea is actually targeting Russia in cyberspace, likely in an attempt to steal information about its missiles.
SentinelOne has seen evidence suggesting that two North Korean threat actors, ScarCruft and the notorious Lazarus, targeted Russian missile maker NPO Mashinostroyeniya (also known as JSC MIC Mashinostroyenia and NPO Mash).
The security firm’s researchers came across leaked emails apparently originating from NPO Mashinostroyeniya, a sanctioned organization that possesses valuable information on missile technology developed and used by Russia.
The leak appeared accidental and included many emails, some of which discussed a breach detected within the organization. The attackers managed to intercept emails and steal data.
A Windows backdoor named OpenCarrot and infrastructure used in the attack enabled SentinelOne to link the operation to the North Korean state-sponsored hacker groups.
“This engagement establishes connections between two distinct DPRK-affiliated threat actors, suggesting the potential for shared resources, infrastructure, implants, or access to victim networks,” the security firm said.
It added, “Moreover, we acknowledge the possibility that the assigned task of an intrusion into NPO Mashinostroyeniya might have warranted targeting by multiple autonomous threat actors due to its perceived significance.”
Reuters conducted its own investigation into the MPO Mashinostroyeniya breach and found that the intrusion likely began in late 2021 and it was discovered in May 2022.
The leaked emails seem to have come from an employee who was investigating the incident and uploaded some files to VirusTotal or a similar service.
One expert told the publication that even if North Korean hackers managed to steal Russian missile plans, actually reproducing them would take a ‘lot more’ than that.
Related: Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
Related: Russia Blames US Intelligence for iOS Zero-Click Attacks
Related: ‘Hackers’ Behind Air Raid Alerts Across Russia: Official
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
