Posted on August 6, 2023 at 8:56 AM

North Korean State-Sponsored Hackers Linked To Breach Of Russian Missile Maker

A group of North Korean hackers breached the computer systems at a leading Russian missile development firm. According to a Reuters report, The breach in question lasted for at least five months.

North Korean hackers breach Russia missile development firm

The Reuters report noted that hacking attackers linked to the North Korean government launched an espionage campaign against Russia. The hacker groups behind this hacking campaign are Lazarus and ScarCruft, two of the most notorious North Korean threat actor groups.

The hackers installed a digital backdoor within NPO Mashinostroyeniya, a rocket design bureau in Reutov. The early analysis of this hacking campaign does not determine whether the hackers stole any data during the intrusion or the type of information they might have accessed.

However, the timeline in which this hacking campaign happened coincides with Pyongyang announcing key developments in the banned ballistic missile program. However, whether the hacking campaign was related to its own research on ballistic missiles remains unclear.

NPO Mashinostroyeniya is a designer and manufacturer based in Russia. This company deals in the manufacture of orbital vehicles, spacecraft, tactical defense, and attack missiles that are used by the armies of Russia and India. The company has previously been sanctioned by the US Department of Treasury (OFAC) for the role it played in the Russo-Ukrainian war.

According to research by SentinelLabs, the ScarCruft hacker group is behind this hacking campaign that targeted the email server and the IT systems of the Russian missile development firm. The hackers behind the exploit created a Windows backdoor, OpenCarrot, that gave them remote access to the network.

The main goal behind this hacking attack has yet to be determined. The ScarCruft hacker group, or APT37, usually conducts cyber espionage campaigns. Espionage campaigns are aimed at surveillance and stealing data from organizations.

The security researchers that detected the breach said that an analysis of an email leak from the Russian company contained highly confidential information. Some of the communications in these emails include a report from an IT staff member that warned about a possible cybersecurity incident in mid-May last year.

Sentinel Labs leveraged the information in these emails to conduct an initial investigation. However, following the probe, the researchers determined that a much larger intrusion might have happened, with far-reaching effects than the missile maker had realized.

The leaked emails show IT staff at the missile company discussing suspicious network communications between the processes running in internal devices and the ones running on external servers. The company later detected a malicious DLL within the internal systems, resulting in engagement with the antivirus provider to determine how this breach had happened.

OpenCarrot backdoor

The researchers at Sentinel Labs also analyzed the IP addresses and other indicators of compromise (IOCs) within the leaked emails. The researchers concluded that the Russian missile maker was infected by the OpenCarrot Windows backdoor that allowed the threat actors to obtain unauthorized access.

OpenCarrot is a backdoor malware that contains many features. This malware was previously associated with the North Korean state-sponsored hacker group, the Lazarus Group.

It is yet to be determined whether ScarCruft and Lazarus did the hacking campaign because of the different techniques used. However, it is not rare that North Korean hackers share similar tools and tactics in conducting their hacking campaigns. North Korean hackers usually use tools and tactics that overlap with those used by state-sponsored threat actors.

The OpenCarrot malware variant used in this hacking campaign was implemented as a DLL file. This variant supports proxy communications using internal network hosts. The backdoor also supports 25 commands that give the hacker access to the targeted system.

One of these commands is reconnaissance, which files and processes attribute enumeration, scanning, and ICMP-pinging hosts in IP ranges for open TCP ports and availability. The other command of the OpenCarrot backdoor is a filesystem and process manipulation.

This backdoor also has a reconfiguration and connectivity command that helps manage C2 communications. This command also includes halting the existing communication channels while establishing new ones. It can also alter the malware configuration data within the filesystem and proxy the network connections.

In cases where the legitimate users on the compromised devices are active, the OpenCarrot backdoor malware will enter a sleep state and monitor the insertion of a new USD drive after every 15 seconds. If a USDB drive is detected, it can be compromised and used for lateral movement.