• Fri. Sep 1st, 2023

North Korean Hackers Known as ‘ScarCruft’ Gained Access to a Russian Missile Manufacturer

Avatar photo

ByEsme Greene

Sep 1, 2023
North Korean hackers 'ScarCruft' breached Russian missile maker
Esme Greene

NPO Mashinostroyeniya is a Russian company that designs and manufactures orbital vehicles, spacecraft, and tactical defense and assault missiles for the Russian and Indian militaries. Since 2014, the US Department of Treasury (OFAC) has sanctioned the corporation for its involvement and role in the Russian-Ukrainian war.

SentinelLabs announced today that ScarCruft is responsible for a penetration of NPO Mashinostroyeniya’s email server and IT infrastructure, in which the threat actors placed a Windows backdoor termed ‘OpenCarrot’ enabling remote network access. While the attack’s main goal is unknown, the ScarCruft (APT37) is a cyber espionage group renowned for surveilling and stealing data from corporations as part of their cyber operations.

Detecting the breach

A compromise was identified by security specialists thanks to an email leak from NPO Mashinostroyeniya. The hacked emails contained private discussions as well as an IT report regarding a possible cyber catastrophe in May 2022. SentinelLabs investigated and discovered a more broad infiltration than was previously suspected. The emails that were stolen revealed unusual network communication within the organization. 

A dangerous DLL was identified on internal computers, prompting collaboration with an antivirus provider. Using IP addresses and indications in the emails, the investigators discovered the ‘OpenCarrot’ Windows backdoor. The Lazarus Group, a North Korean hacker group, is linked to OpenCarrot. Although it is unclear whether this is a collaborative effort, North Korean hackers frequently share tools with other state-sponsored groups. 

The attack made advantage of an OpenCarrot variation as a DLL file, allowing communication with internal network hosts. When genuine users activate on the infected devices, OpenCarrot goes to sleep and checks every 15 seconds for the insertion of fresh USB sticks that may be laced and utilized for lateral movement.

According to SentinelLabs, the presence of two state-sponsored hacking organizations might imply a planned approach by the North Korean state, which controls both. The state may have intended to increase the likelihood of a successful breach by deploying many players to infiltrate NPO Mashinostroyeniya, which they regarded a big target for espionage.