Categories: CyberCrimeSecurity

North Korea ‘Hacked Russian Missile Firm’

Two distinct North Korean state-affiliated hacking groups compromised the same Russian missile engineering company last year, researchers have found.

The engineering company NPO Mashinostroyeniya, known as NPO Mash, based in Reutov, near Moscow, was separately compromised by the ScarCruft and Lazarus hacking groups for at least five months in 2022, according to computer security firm SentinelOne.

NPO Mash is a leading manufacturer of missiles and spacecraft for the Russian military and possesses highly sensitive missile technology, SentinelOne said.

The Mountain View, California-based security firm said it stumbled upon the hack when it discovered a cache of internal communications accidentally leaked by an NPO Mash IT staff member who was investigating the North Korean hack.

Soyuz rocket launch at Baikonur Cosmodrome, November 2013. Image credit: NASA

Russians hacked

SentinelOne said its subsequent investigation found the ScarCruft threat group had compromised an NPO Mash Linux email server, while Lazarus Group had implanted a Windows backdoor called OpenCarrot into NPO Mash’s internal network.

ScarCruft, also known as APT37, is associated with North Korea’s Ministry of State Security (MSS), while Lazarus Group is part of Lab 110, linked to the Reconnaissance General Bureau (RGB), the country’s primary foreign intelligence agency.

The security firm said it was unclear whether the two firms had worked together or whether the target had been deemed “important enough to assign to multiple independent threat actors”.

The hack was evidently intended to obtain information that could aid North Korea’s project of building an intercontinental ballistic missile (ICBM) capable of reaching targets in North America, SentinelOne said.

Soyuz launch pad at Baikonur Cosmodrome, November 2013. Image credit: NASA

Crypto thefts

It was unable to determine what data, if any, had been stolen.

NPO Mash internally detected the intrusions in May 2022, the security firm said, adding that the intrusions had been in place since roughly late 2021.

The incident shows that North Korea is willing to attack even its own allies to support its missile programme, said researcher Tom Hegel.

NPO Mash has been associated with cutting-edge missile technology including hypersonic missiles and the use of solid propellants.

North Korea is believed to be behind billions of dollars in cryptocurrency thefts since 2017, with the stolen funds thought to constitute about half of the funding for its missile programme.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Workers Killed In Fire At South Korean Battery Plant

At least 22 workers killed in fire at lithium battery plant near Seoul after chain…

3 hours ago

EU Finds Apple In Breach Of DMA Competition Rules

European Commission finds Apple in breach of DMA competition rules in first decision under new…

4 hours ago

Apple Delays AI Features In EU Over DMA Rules

Apple to delay launch of AI and two other new features in EU, arguing new…

10 hours ago

US Government Prepares TikTok Lawsuit Over Child Privacy

US Department of Justice prepares lawsuit alleging TikTok violated child data privacy laws, as company's…

11 hours ago

US Publishes Draft Rules On China AI, Chip Investment

US publishes draft rules governing investments into AI, other emerging technologies in China amidst political…

11 hours ago

China-Linked Shein Faces Uphill Battle For IPO In US Or UK

China-founded fast-fashion company Shein faces political resistance in search for IPO venue, as major investors…

12 hours ago