Two different North Korean nation-state actors have been linked to a cyber intrusion against the major Russian missile engineering company NPO Mashinostroyeniya.
Cybersecurity firm SentinelOne said it identified “two instances of North Korea related compromise of sensitive internal IT infrastructure,” including a case of an email server compromise and the deployment of a Windows backdoor dubbed OpenCarrot.
The breach of the Linux email server has been attributed to ScarCruft. OpenCarrot, on the other hand, is a known implant previously identified as used by the Lazarus Group. The attacks were flagged in mid-May 2022.
A rocket design bureau based in Reutov, NPO Mashinostroyeniya was sanctioned by the U.S. Treasury Department in July 2014 in connection to “Russia’s continued attempts to destabilize eastern Ukraine and its ongoing occupation of Crimea.”
While both ScarCruft (aka APT37) and the Lazarus Group are affiliated to North Korea, it’s worth noting that the former is overseen by the Ministry of State Security (MSS). Lazarus Group is part of Lab 110, which is a constituent of the Reconnaissance General Bureau (RGB), the country’s primary foreign intelligence service.
The development marks a rare convergence where two North Korea-based independent threat activity clusters have targeted the same entity, indicating a “highly desirable strategic espionage mission” that could benefit its controversial missile program.
OpenCarrot is implemented as a Windows dynamic-link library (DLL) and supports over 25 commands to conduct reconnaissance, manipulate file systems and processes, and manage several communication mechanisms.
“With a wide range of supported functionality, OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network,” security researchers Tom Hegel and Aleksandar Milenkoski said.
The exact method used to breach the email server as well as the attack chain employed to deliver OpenCarrot remains unknown, although ScarCruft is known to rely on social engineering to phish victims and deliver backdoors like RokRat.
What’s more, a closer inspection of the attack infrastructure has revealed two domains centos-packages[.]com and redhat-packages[.]com, which bears similarities to the names the threat actors used in the JumpCloud hack in June 2023.
“This incident stands as a compelling illustration of North Korea’s proactive measures to covertly advance their missile development objectives, as evidenced by their direct compromise of a Russian Defense-Industrial Base (DIB) organization,” the researchers said.