Two separate North Korea-affiliated threat actors have compromised the internal systems of the major Russian missile engineering company NPO Mashinostroyeniya, sanctioned by the US authorities in 2014 in response to Russia’s continued attempts to destabilize eastern Ukraine and its ongoing occupation of Crimea.
Researchers at SentinelLabs said they identified two instances of North Korea-related breaches of sensitive internal IT infrastructure within NPO Mashinostroyeniya, including a Linux email server compromise, and the deployment of a Windows backdoor dubbed OpenCarrot.
The breach of the email server was linked to a threat actor known as ScarCruft, APT37, Inky Squid or Temp.Reaper, while the OpenCarrot backdoor was previously linked to the Lazarus Group hackers. The attacks were first spotted in mid-May 2022.
“At this time, we cannot determine the potential nature of the relationship between the two threat actors. We acknowledge a potential sharing relationship between the two DPRK-affiliated threat actors as well as the possibility that tasking deemed this target important enough to assign to multiple independent threat actors,” the researchers said.
The intrusion came to light after SentinelLabs discovered a leaked email collection containing an implant with characteristics related to previously reported North Korean cyber espionage campaigns. An analysis of the email archive “revealed a larger intrusion, not fully recognized at the time by the compromised organization.”
The OpenCarrot backdoor is implemented as a Windows dynamic-link library (DLL) and supports a wide range of commands. It enables full compromise of infected machines, as well as the coordination of multiple infections across a local network.
In the case of the breached email server, it’s currently unclear how ScarCruft managed to gain initial access and what malware it planted. However, the group has been observed using the RokRat backdoor in their previous attacks.
“This intrusion gives rare insight into sensitive DPRK cyberespionage campaigns, and an opportunity to expand our understanding of the relationship and goals between various North Korean cyber threat actors. It also highlights a potential rift in relations between Russia and North Korea, considering their growing relationship,” SentinalLabs noted.
