North Korean Hackers Breached Leading Russian Missile & Military Engineering Company

North Korean threat actors actively grabbed the attention of security experts, revealing fruitful campaign insights over the year, including:-

  • New reconnaissance tools
  • Multiple new supply chain intrusions
  • Elusive multi-platform targeting
  • New sly social engineering tactics

Last year, a group of North Korean hackers that falls under the elite category secretly infiltrated the internal networks of one of the major Russian missile developers for five months.

EHA

Cybersecurity researchers at SentinelOne Labs recently identified that North Korean hackers hacked the internal networks of one of the leading Russian Missile and  Military engineering company.

North Korean Hackers Breached Top Russian Missile Company

SentinelOne Labs’ analysts discovered a DPRK-linked implant in a leaked email collection during the North Korean threat actor investigation, uncovering a larger unrecognized intrusion.

The targeted organization is NPO Mashinostroyeniya, a Russian missile and spacecraft manufacturer that holds confidential missile tech sanctioned and owned by JSC Tactical Missiles Corporation KTRV.

Leaked data contains unrelated emails, implying accidental or non-related activity. Still, it offers valuable insight into the following things:- 

  • Network design
  • Security gaps
  • Other attackers
Unrelated email alerts (Source – SentinelOne Labs)

Compromise Through Email

NPO Mashinostroyeniya emails reveal IT staff discussions on suspicious communications and DLL files. After the intrusion, they sought AV support to address detection issues.

Email between NPO Mash Employees (Source – SentinelOne Labs)

Experts discovered a version of OpenCarrot Windows OS backdoor, linked to Lazarus group, enabling full machine compromise and network-wide attacks with proxying C2 communication.

Here the analyzed OpenCarrot was used as a DLL file that is designed for persistence and implements more than 25 Lazarus group backdoor commands with diverse functionalities like:-

  • Reconnaissance
  • Filesystem manipulation
  • Process manipulation
  • Reconfiguration 
  • Connectivity
Backdoor command indexing (Source – SentinelOne Labs)

North Korean threat actors lack OPSEC, enabling researchers to gather unique insights on unreported activities and track campaign evolution through infrastructure connections.

Experts linked JumpCloud intrusion to North Korean threat actors, noticing domain theme similarities with NPO Mash.

Though not definitive, it sparks curiosity about threat actor infrastructure creation and management procedures, along with other connections.

Security analysts confidently attribute intrusion to North Korean-associated threat actors, showcasing North Korea’s covert missile development agenda through direct compromise of a Russian Defense-Industrial Base (DIB) organization.

IoCs

MD5:

9216198a2ebc14dd68386738c1c59792
6ad6232bcf4cef9bf40cbcae8ed2f985
d0f6cf0d54cf77e957bce6dfbbd34d8e
921aa3783644750890b9d30843253ec6
99fd2e013b3fba1d03a574a24a735a82
0b7dad90ecc731523e2eb7d682063a49
516beb7da7f2a8b85cb170570545da4b

SHA1:

07b494575d548a83f0812ceba6b8d567c7ec86ed
2217c29e5d5ccfcf58d2b6d9f5e250b687948440
246018220a4f4f3d20262b7333caf323e1c77d2e
8b6ffa56ca5bea5b406d6d8d6ef532b4d36d090f
90f52b6d077d508a23214047e680dded320ccf4e
f483c33acf0f2957da14ed422377387d6cb93c4d
f974d22f74b0a105668c72dc100d1d9fcc8c72de
redhat-packages[.]com
centos-packages[.]com
dallynk[.]com
yolenny[.]com
606qipai[.]com
asplinc[.]com
bsef.or[.]kr
192.169.7[.]197
160.202.79[.]226
96.9.255[.]150
5.134.119[.]142

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.