- North Korean hackers breached a major Russian missile developer, NPO Mashinostroyeniya, for at least five months.
- Cyber-espionage teams ScarCruft and Lazarus installed stealthy digital backdoors into NPO Mash’s systems.
- It remains unclear if data was stolen or linked to North Korea’s ballistic missile program developments.
- Experts warn that North Korea targets even its allies to acquire critical technologies.
- The breach exposes vulnerabilities in cybersecurity and raises concerns about sensitive technology transfers.
It has been uncovered that an elite group of North Korean hackers successfully breached the computer networks of a major Russian missile developer for an extended period last year.
The evidence, reviewed by Reuters and analyzed by security researchers, points to cyber-espionage teams associated with the North Korean government, namely ScarCruft (aka APT37, InkySquid, Reaper, and Ricochet Chollima). The same group was also reported to have used the Dolphin Backdoor against South Korea in December 2022.
The researchers also noted tracks of the infamous North Korean state-backed group, Lazarus, in these attacks. This was identified after researchers noted the presence of OpenCarrot Windows OS backdoor. The backdoor is known to be used by the Lazarus group.
These hackers discreetly installed stealthy backdoors into systems at NPO Mashinostroyeniya, commonly referred to as NPO Mash, a prominent rocket design bureau located in Reutov, on the outskirts of Moscow.
Reuters’ investigation did not ascertain whether any data was taken during the intrusion or what information might have been accessed. Nonetheless, it is noteworthy that in the months following the breaches, North Korea declared significant advancements in its banned ballistic missile program, raising suspicions about a possible connection to the breach.
Technical data reveals that the intrusion began approximately in late 2021 and persisted until May 2022 when the company’s IT engineers, as per internal communications reviewed by Reuters, detected the hackers’ activities.
Tom Hegel, a security researcher with US cybersecurity firm SentinelOne, who first uncovered the compromise, highlighted the importance of these findings, providing rare insight into clandestine cyber operations that often elude public scrutiny. Hegel’s team stumbled upon the hack when an NPO Mash IT staffer inadvertently leaked the company’s internal communications while attempting to investigate the North Korean attack by uploading evidence to a private cybersecurity research portal.
With a high level of confidence, we attribute this intrusion to threat actors independently associated with North Korea. Based on our assessment, this incident stands as a compelling illustration of North Korea’s proactive measures to covertly advance their missile development objectives, as evidenced by their direct compromise of a Russian Defense-Industrial Base (DIB) organization.
Tom Hegel – SentinelOne
Two independent computer security experts, Nicholas Weaver and Matt Tait, verified the exposed email content’s authenticity by cross-referencing cryptographic signatures with a set of keys controlled by NPO Mash. SentinelOne expressed confidence that North Korea was responsible for the hack, as the cyberspies reused previously known malware and malicious infrastructure utilized in other intrusions.
The information potentially accessed by North Korean hackers includes details about NPO Mash’s hypersonic missile, “Zircon,” which Russian President Vladimir Putin had praised as a promising product capable of reaching speeds around nine times that of sound.
However, missile expert Markus Schiller, who has researched foreign aid to North Korea’s missile program, downplayed the immediate impact of obtaining plans for the Zircon. Schiller asserted that merely possessing drawings wouldn’t be sufficient to replicate the missile’s capabilities, as the process involves more complexities than what appears on paper.
Nevertheless, NPO Mash’s role as a leading Russian missile designer and producer makes it a highly valuable target. As the company’s advancements could have strategic implications, the breach raises concerns about the potential transfer of sensitive missile-related technology to North Korea.
The incident underscores the isolated nation’s willingness to target even its allies, as evidenced by the breach of Russia’s defence technologies. NPO Mashinostroyeniya has played a crucial role in developing hypersonic missiles, satellite technologies, and newer generation ballistic armaments—areas of immense interest to North Korea in its pursuit of an Intercontinental Ballistic Missile (ICBM) capable of striking the mainland United States.