A Russian defense industrial base organization specializing in missiles and military spacecraft appears to have been targeted by two important North Korean hacking groups.
On the surface it seems that North Korea is one of Russia’s strongest allies since the start of the Ukraine war, with Pyongyang recently showing off its missiles to Russian officials.
However, research conducted by cybersecurity firm SentinelOne appears to show that North Korea is actually targeting Russia in cyberspace, likely in an attempt to steal information about its missiles.
SentinelOne has seen evidence suggesting that two North Korean threat actors, ScarCruft and the notorious Lazarus, targeted Russian missile maker NPO Mashinostroyeniya (also known as JSC MIC Mashinostroyenia and NPO Mash).
The security firm’s researchers came across leaked emails apparently originating from NPO Mashinostroyeniya, a sanctioned organization that possesses valuable information on missile technology developed and used by Russia.
The leak appeared accidental and included many emails, some of which discussed a breach detected within the organization. The attackers managed to intercept emails and steal data.
A Windows backdoor named OpenCarrot and infrastructure used in the attack enabled SentinelOne to link the operation to the North Korean state-sponsored hacker groups.
“This engagement establishes connections between two distinct DPRK-affiliated threat actors, suggesting the potential for shared resources, infrastructure, implants, or access to victim networks,” the security firm said.
It added, “Moreover, we acknowledge the possibility that the assigned task of an intrusion into NPO Mashinostroyeniya might have warranted targeting by multiple autonomous threat actors due to its perceived significance.”
The leaked emails seem to have come from an employee who was investigating the incident and uploaded some files to VirusTotal or a similar service.
One expert told the publication that even if North Korean hackers managed to steal Russian missile plans, actually reproducing them would take a ‘lot more’ than that.