North Korean threat actors actively grabbed the attention of security experts, revealing fruitful campaign insights over the year, including:-
-
New reconnaissance tools
-
Multiple new supply chain intrusions
-
Elusive multi-platform targeting
-
New sly social engineering tactics
Last year, a group of North Korean hackers that falls under the elite category secretly infiltrated the internal networks of one of the major Russian missile developers for five months.
Cybersecurity researchers atSentinelOne Labs recently identified that North Korean hackers hacked the internal networks of one of the leading Russian Missile and Military engineering company.
North Korean Hackers Breached Top Russian Missile Company
SentinelOne Labs’ analysts discovered a DPRK-linked implant in a leaked email collection during the North Korean threat actor investigation, uncovering a larger unrecognized intrusion.
The targeted organization is NPO Mashinostroyeniya, a Russian missile and spacecraft manufacturer that holds confidential missile tech sanctioned and owned by JSC Tactical Missiles Corporation KTRV.
Leaked data contains unrelated emails, implying accidental or non-related activity. Still, it offers valuable insight into the following things:-
-
Network design
-
Security gaps
-
Other attackers
Unrelated email alerts (Source – SentinelOne Labs)
Compromise Through Email
NPO Mashinostroyeniya emails reveal IT staff discussions on suspicious communications and DLL files. After the intrusion, they sought AV support to address detection issues.
Email between NPO Mash Employees (Source – SentinelOne Labs)
Experts discovered a version of OpenCarrot Windows OS backdoor, linked to Lazarus group, enabling full machine compromise and network-wide attacks with proxying C2 communication.
Here the analyzed OpenCarrot was used as a DLL file that is designed for persistence and implements more than 25 Lazarus group backdoor commands with diverse functionalities like:-
-
Reconnaissance
-
Filesystem manipulation
-
Process manipulation
-
Reconfiguration
-
Connectivity
Backdoor command indexing (Source – SentinelOne Labs)
North Korean threat actors lack OPSEC, enabling researchers to gather unique insights on unreported activities and track campaign evolution through infrastructure connections.
Experts linked JumpCloud intrusion to North Korean threat actors, noticing domain theme similarities with NPO Mash.
Though not definitive, it sparks curiosity about threat actor infrastructure creation and management procedures, along with other connections.
Security analysts confidently attribute intrusion to North Korean-associated threat actors, showcasing North Korea’s covert missile development agenda through direct compromise of a Russian Defense-Industrial Base (DIB) organization.
IoCs
MD5:
9216198a2ebc14dd68386738c1c597926ad6232bcf4cef9bf40cbcae8ed2f985d0f6cf0d54cf77e957bce6dfbbd34d8e921aa3783644750890b9d30843253ec699fd2e013b3fba1d03a574a24a735a820b7dad90ecc731523e2eb7d682063a49516beb7da7f2a8b85cb170570545da4b
SHA1:
07b494575d548a83f0812ceba6b8d567c7ec86ed2217c29e5d5ccfcf58d2b6d9f5e250b687948440246018220a4f4f3d20262b7333caf323e1c77d2e8b6ffa56ca5bea5b406d6d8d6ef532b4d36d090f90f52b6d077d508a23214047e680dded320ccf4ef483c33acf0f2957da14ed422377387d6cb93c4df974d22f74b0a105668c72dc100d1d9fcc8c72deredhat-packages[.]comcentos-packages[.]comdallynk[.]comyolenny[.]com606qipai[.]comasplinc[.]combsef.or[.]kr192.169.7[.]197160.202.79[.]22696.9.255[.]1505.134.119[.]142
