Russian missile and satellite developer breached by North Korean hackers

Cybersecurity researchers unveiled a breach in which two North Korean hacking groups gained unauthorized access to the internal systems of NPO Mashinostoyeniya, a prominent Russian missile and satellite developer. This breach persisted for a duration of five to six months during 2022.

The breach comprised two separate instances of compromise, both linked to North Korean entities. The breaches gave access to sensitive internal IT infrastructure within the Russian defense industrial base (DIB) organization.

1. One vector of attack was infiltrating the Mashinostoyeniya's  email server. The ScarCruft threat actor, closely associated with North Korea, was identified as being responsible for this breach.
2. Another vector of the breach was the deployment of a Windows backdoor malware named OpenCarrot. This malware was attributed to another North Korean group, the Lazarus group, known for its cybercriminal activities. OpenCarrot served as a persistent tool, allowing attackers to execute more than 25 backdoor commands with a wide range of functionalities. This enabled them to manipulate files and processes, gather reconnaissance data, establish connections, and perform reconfigurations.

The discovery of this breach happened mostly by accident, while actively tracking suspected North Korean threat actors. Leaked email collections revealed an implant connected to prior DPRK-affiliated campaigns. These emails, dating back to mid-May 2022, were linked to NPO Mashinostoyeniya, confirming the breach's origin.

The compromised email server facilitated outbound communication with malicious infrastructure. While the exact initial access method and implant functionality remain uncertain, the compromised email server communicated with an external infrastructure attributed to the ScarCruft threat actor.

In the case of the Lazarus group's involvement, the analysis identified the DLL implant as a variant of the OpenCarrot Windows OS backdoor. This implant was implemented as a Windows service DLL file, allowing for persistent execution. It enabled attackers to exercise various functionalities, including reconnaissance, manipulation of files and processes, reconfiguration, and establishing command-and-control (C2) connections.

No comment nor information is available from the Russian defense industrial base (DIB) or from Mashinostoyeniya.