North Korean state-backed hackers breached major Russian missile maker

Russia’s major missile manufacturer was breached by state-backed North Korean hackers for months, researchers have found.

At least two different North Korean nation-state threat groups have been linked to the hack of Mashinostroyeniya, or Mash, Russia’s famous rocket design company. The incident began in late 2021 and continued until May of last year, the cybersecurity firm SentinelLabs found.

The researchers attributed the hack to the North Korean cyberespionage group ScarCruft, which breached the enterprise's email server, and the notorious Lazarus group, which installed digital backdoors into its systems.

It is not yet clear what information the hackers were able to access and how Pyongyang used it. Nevertheless, the breach brings attention to a potential strain in relations between North Korea and its "comrade in arms."

Founded during World War II, Mash was the leading developer of Soviet cruise missiles, intercontinental ballistic missiles and space satellites.

The company was sanctioned in 2014 following Russia’s annexation of the Crimean peninsula in Ukraine.

These days, Russia employs Mash-manufactured missiles to target Ukraine. In July, Moscow launched a barrage of Onyx supersonic cruise missiles, developed by Mash, at the Ukrainian port city of Odesa, destroying grain storage facilities and a historic cathedral.

Mash, which did not respond to a request for comment, is a lucrative target for nation-state hackers because it has highly confidential intellectual property on sensitive missile technology that is currently in use and under development for the Russian military, according to SentinelLabs.

The researchers described the intrusion as “a highly desirable strategic espionage mission supporting North Korea’s contentious missile program.”

Cyberattacks on foreign arms manufacturers could be another way for the country “to covertly advance its missile development objectives,” the researchers said.

Just last week, the country’s dictator Kim Jong-un visited several major North Korean arms factories, including facilities making engines for strategic cruise missiles, and called for increased weapons production.

North Korean hack

The company noticed the intrusion in May 2022 when it came across a suspicious file in various internal systems.

Researchers found that the file was a version of the OpenCarrot backdoor for Windows devices, known to be linked to Lazarus group activities.

The analyzed OpenCarrot variant has reconnaissance, filesystem and process manipulation, and reconfiguration and connectivity capabilities.

SentinelLabs also discovered that Mash’s Linux email server was compromised by the ScarCruft threat actor.

ScarCruft — also referred to as Inky Squid, APT37, or Group123 — is commonly attributed to North Korea’s state-sponsored activity, targeting high-value individuals. Lazarus, meanwhile, is known for lucrative cryptocurrency heists, and is believed to have netted more than $2 billion in digital assets.

As of now, it remains unclear whether the two groups operated independently or coordinated their actions, but this attack indicates the possibility of them sharing resources, infrastructure, implants, or access to victim networks, the researchers said.