North Korean Attackers Penetrated Russian Rocket Designer’s Systems

Apparently, loose alliances between governments don’t extend to the digital realm—North Korean attackers not only breached a Russian missile maker but resided in its systems for nearly six months.

Both the Lazarus and ScarCruft gangs inserted digital backdoors into NPO Mashinostroyeniya’s system, according to a report from Reuters, which discovered the caper.

Not much is known about the bad actors’ exploits—the rocket developer didn’t offer details to Reuters, nor did the Russian Embassy in Washington respond; the news outlet couldn’t figure out if data was taken. But what is known is that the attack became known after Russian defense minister  Sergei Shoigu traveled to Pyongyang to mark the anniversary of the Korean War and North Korea made announcements about changes to its ballistic missile program, which is currently banned.

But the report cited findings by SentinelOne that led the security firm to believe that the threat actors were able to read email, move from network to network and tease out data. “These findings provide rare insight into the clandestine cyber operations that traditionally remain concealed from public scrutiny or are simply never caught by such victims,” Reuters said, citing Tom Hegel, a security researcher with SentinelOne.

“The initial attack vector or method is still unknown, but the wealth of information that was gleaned from the accidental email leak is incredible,” said Timothy Morris, chief security advisor at Tanium. “Not to mention, funny; sometimes luck is better than skill when it comes to finding intrusions.”

Claroty

Hegel’s team of security analysts at SentinelOne learned of the attack after discovering that an NPO Mash IT staffer accidentally leaked his company’s internal communications while attempting to investigate the North Korean attack by uploading evidence to a private portal used by cybersecurity researchers worldwide.

“While conducting our usual hunting and tracking of suspected North Korean threat actors, we identified a leaked email collection containing an implant with characteristics related to previously reported DPRK-affiliated threat actor campaigns,” Hegel wrote in a blog post, explaining that a deeper probe uncovered the larger intrusion.

“We are highly confident that the emails related to this activity originated from the victim organization. Furthermore, there are no discernible signs of manipulation or technically verifiable inaccuracies present in these emails,” said Hegel.

“It’s essential to highlight that the leaked data comprises a substantial volume of emails unrelated to our current research scope,” he wrote. “This suggests that the leak was likely accidental or resulted from activity unrelated to the specific intrusion under scrutiny in our investigation.”

Currently, SentinelOne can’t  “determine the potential nature of the relationship between the two threat actors,” but noted “a potential sharing relationship between the two DPRK-affiliated threat actors as well as the possibility that tasking deemed this target important enough to assign to multiple independent threat actors,” Hegel said.

“There can be several implications as to what this means for Russian and North Korean relationships, but all would be conjecture,” said Morris.

“Truth is, nations spy on nations; it’s what they do, and a Russian missile development plant is a prime target,” said Morris. “The DPRK activities have always been themed to funding their missile program, so breaching a target like this is no surprise.”

Still, “it’s not surprising that nation-state attackers were able to break into the network of a Russian design bureau so they could exfiltrate sensitive information,” said Phil Neray, vice president of cyber defense strategy at CardinalOps.

“All it takes is a sophisticated phishing attack with a malicious attachment to execute initial access and install the backdoor for persistence,” said Neray. “It’s also likely that the design bureau was missing key network monitoring tools and the right SIEM detection rules because the attack went undetected for five months.”

SentinelOne said that a review of internal NPO Mashinostroyeniya emails “show IT staff exchanged discussions highlighting questionable communications between specific processes and unknown external infrastructure.” And that same day, they “also identified a suspicious DLL file present in different internal systems,” Hegel wrote.

That was about a week before Russia vetoed efforts by the UN to impose new sanctions on North Korea’s ICB missile launches. About a month later, “NPO Mashinostroyeniya engaged with their AV solution’s support staff to determine why this and other activity was not detected,” Hegel wrote.

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson

Application Security Check Up