North Korea accused of hacking Russian missile builder

Hackers associated with North Korea have been linked to a data breach at a Russian engineering firm noted for designing missiles

A Russian engineering firm famous for designing ballistic missiles has reportedly been hacked by North Korea.

Researchers with SentinelLabs say that state actors from the DPRK had managed to gain access to the internal networks of NPO Mashinostroyeniya, a Cold War-Era company famous for its work on the Soviet intercontinental ballistic missile program.

"While conducting our usual hunting and tracking of suspected-North Korean threat actors, we identified a leaked email collection containing an implant with characteristics related to previously reported DPRK-affiliated threat actor campaigns," wrote SentinelLabs researchers Tom Hegel and Aleksandar Milenkoski.


"A thorough investigation of the email archive revealed a larger intrusion, not fully recognized at the time by the compromised organization."

The implant in question was linked to Lazarus group, a hacking organization widely recognized as a front for North Korea's money laundering and intel-gathering activities. The SentinelLabs researchers specifically identified the malware as the OpenCarrot Windows OS backdoor.

It is believed that the intrusion occurred by way of a compromised Red Hat email server and was active for some time before being uncovered. The malware was fingerprinted by its use of .DLL files that are commonly associated with Lazarus group.

It should go without question that North Korea hacking a Russian missile firm is a bad thing for the rest of the world, but this case is even more peculiar because the two parties are said to be allies.

"This intrusion gives rare insight into sensitive DPRK cyberespionage campaigns, and an opportunity to expand our understanding of the relationship and goals between various North Korean cyber threat actors," notes SentinelLabs,

"It also highlights a potential rift in relations between Russia and North Korea, considering their growing relationship."

If there is any good news to be had from this situation it is that the DPRK hackers apparently did a poor job of covering their tracks, making it easy for researchers to work out the extent of their nefarious activity.

"North Korean-nexus of threat actors are known for not maintaining the OPSEC of their campaigns," said SentinelLabs.

"A characteristic lack of segmentation allows researchers to amass unique insights across a variety of unreported activity. Infrastructure connections in particular often allow us to track the evolution of their campaigns over long periods of time."