Connect with us

Hi, what are you looking for?



North Korean Hackers Targeted Russian Missile Developer

A sanctioned Russian missile maker appears to have been targeted by two important North Korean hacking groups.

North Korean hacking Ulchi Freedom Shield

A Russian defense industrial base organization specializing in missiles and military spacecraft appears to have been targeted by two important North Korean hacking groups.

On the surface it seems that North Korea is one of Russia’s strongest allies since the start of the Ukraine war, with Pyongyang recently showing off its missiles to Russian officials. 

However, research conducted by cybersecurity firm SentinelOne appears to show that North Korea is actually targeting Russia in cyberspace, likely in an attempt to steal information about its missiles.

SentinelOne has seen evidence suggesting that two North Korean threat actors, ScarCruft and the notorious Lazarus, targeted Russian missile maker NPO Mashinostroyeniya (also known as JSC MIC Mashinostroyenia and NPO Mash).

The security firm’s researchers came across leaked emails apparently originating from NPO Mashinostroyeniya, a sanctioned organization that possesses valuable information on missile technology developed and used by Russia. 

The leak appeared accidental and included many emails, some of which discussed a breach detected within the organization. The attackers managed to intercept emails and steal data. 

A Windows backdoor named OpenCarrot and infrastructure used in the attack enabled SentinelOne to link the operation to the North Korean state-sponsored hacker groups. 

Advertisement. Scroll to continue reading.

“This engagement establishes connections between two distinct DPRK-affiliated threat actors, suggesting the potential for shared resources, infrastructure, implants, or access to victim networks,” the security firm said. 

It added, “Moreover, we acknowledge the possibility that the assigned task of an intrusion into NPO Mashinostroyeniya might have warranted targeting by multiple autonomous threat actors due to its perceived significance.”

Reuters conducted its own investigation into the MPO Mashinostroyeniya breach and found that the intrusion likely began in late 2021 and it was discovered in May 2022. 

The leaked emails seem to have come from an employee who was investigating the incident and uploaded some files to VirusTotal or a similar service.  

One expert told the publication that even if North Korean hackers managed to steal Russian missile plans, actually reproducing them would take a ‘lot more’ than that. 

Related: Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks

Related: Russia Blames US Intelligence for iOS Zero-Click Attacks

Related: ‘Hackers’ Behind Air Raid Alerts Across Russia: Official

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...