North Korea 'Hacked Russian Missile Firm'

Two distinct North Korean hacking groups compromised elite Russian missile engineering firm NPO Mash, say security researchers

Two distinct North Korean state-affiliated hacking groups compromised the same Russian missile engineering company last year, researchers have found.

The engineering company NPO Mashinostroyeniya, known as NPO Mash, based in Reutov, near Moscow, was separately compromised by the ScarCruft and Lazarus hacking groups for at least five months in 2022, according to computer security firm SentinelOne.

NPO Mash is a leading manufacturer of missiles and spacecraft for the Russian military and possesses highly sensitive missile technology, SentinelOne said.

The Mountain View, California-based security firm said it stumbled upon the hack when it discovered a cache of internal communications accidentally leaked by an NPO Mash IT staff member who was investigating the North Korean hack.

Soyuz rocket launch at Baikonur Cosmodrome, November 2013. Image credit: NASA Russia Korea — Soyuz rocket launch at Baikonur Cosmodrome, November 2013. Image credit: NASA

Russians hacked

SentinelOne said its subsequent investigation found the ScarCruft threat group had compromised an NPO Mash Linux email server, while Lazarus Group had implanted a Windows backdoor called OpenCarrot into NPO Mash’s internal network.

ScarCruft, also known as APT37, is associated with North Korea’s Ministry of State Security (MSS), while Lazarus Group is part of Lab 110, linked to the Reconnaissance General Bureau (RGB), the country’s primary foreign intelligence agency.

The security firm said it was unclear whether the two firms had worked together or whether the target had been deemed “important enough to assign to multiple independent threat actors”.

The hack was evidently intended to obtain information that could aid North Korea’s project of building an intercontinental ballistic missile (ICBM) capable of reaching targets in North America, SentinelOne said.

Soyuz launch pad at Baikonur Cosmodrome, November 2013. Image credit: NASA

Crypto thefts

It was unable to determine what data, if any, had been stolen.

NPO Mash internally detected the intrusions in May 2022, the security firm said, adding that the intrusions had been in place since roughly late 2021.

The incident shows that North Korea is willing to attack even its own allies to support its missile programme, said researcher Tom Hegel.

NPO Mash has been associated with cutting-edge missile technology including hypersonic missiles and the use of solid propellants.

North Korea is believed to be behind billions of dollars in cryptocurrency thefts since 2017, with the stolen funds thought to constitute about half of the funding for its missile programme.

Read also : Russia Already Meddling In US Election, Microsoft Warns