North Korean threat actors actively grabbed the attention of security experts, revealing fruitful campaign insights over the year, including:-
- New reconnaissance tools
- Multiple new supply chain intrusions
- Elusive multi-platform targeting
- New sly social engineering tactics
Last year, a group of North Korean hackers that falls under the elite category secretly infiltrated the internal networks of one of the major Russian missile developers for five months.
Cybersecurity researchers at SentinelOne Labs recently identified that North Korean hackers hacked the internal networks of one of the leading Russian Missile and Military engineering company.
North Korean Hackers Breached Top Russian Missile Company
SentinelOne Labs’ analysts discovered a DPRK-linked implant in a leaked email collection during the North Korean threat actor investigation, uncovering a larger unrecognized intrusion.
The targeted organization is NPO Mashinostroyeniya, a Russian missile and spacecraft manufacturer that holds confidential missile tech sanctioned and owned by JSC Tactical Missiles Corporation KTRV.
Leaked data contains unrelated emails, implying accidental or non-related activity. Still, it offers valuable insight into the following things:-
- Network design
- Security gaps
- Other attackers
Compromise Through Email
NPO Mashinostroyeniya emails reveal IT staff discussions on suspicious communications and DLL files. After the intrusion, they sought AV support to address detection issues.
Experts discovered a version of OpenCarrot Windows OS backdoor, linked to Lazarus group, enabling full machine compromise and network-wide attacks with proxying C2 communication.
Here the analyzed OpenCarrot was used as a DLL file that is designed for persistence and implements more than 25 Lazarus group backdoor commands with diverse functionalities like:-
- Filesystem manipulation
- Process manipulation
North Korean threat actors lack OPSEC, enabling researchers to gather unique insights on unreported activities and track campaign evolution through infrastructure connections.
Experts linked JumpCloud intrusion to North Korean threat actors, noticing domain theme similarities with NPO Mash.
Though not definitive, it sparks curiosity about threat actor infrastructure creation and management procedures, along with other connections.
Security analysts confidently attribute intrusion to North Korean-associated threat actors, showcasing North Korea’s covert missile development agenda through direct compromise of a Russian Defense-Industrial Base (DIB) organization.