An elite group of North Korean hackers secretly broke into the computer networks of a leading Russian missile developer for at least five months last year, according to technical evidence reviewed by Reuters and analysis by security researchers.
Reuters found that cyberespionage teams linked to the North Korean government, which security researchers call ScarCruft and Lazarus, secretly installed digital backdoors into systems at NPO Mashinostroyeniya, a rocket development center based in Reutov, a small town outside Moscow.
Reuters could not determine whether any data was obtained during the hack or what information may have been viewed. In the months following the digital hack, Pyongyang announced several developments in its banned ballistic missile program, but it is unclear whether the announcement was related to the breach.
NPO Mashinostroyeniya, the Russian embassy in Washington and North Korea’s mission to the United Nations in New York did not respond to requests for comment.
News of the attack came shortly after a trip by Russian Defense Minister Sergei Shoigu to Pyongyang last month for the 70th anniversary of the Korean War; the first visit by a Russian defense minister to North Korea since the dissolution of the Soviet Union in 1991.
The affected company, known as NPO Mash, served as a pioneering developer of hypersonic missiles, satellite technologies and state-of-the-art ballistic weaponry, according to missile experts – three areas of great interest to North Korea since it embarked on its mission to create an Intercontinental Ballistic Missile (ICBM) capable of reaching the continental United States.
According to technical data, the hacking began approximately at the end of 2021 and continued until May 2022, when, according to the company’s internal communications analyzed by Reuters, IT engineers detected the hackers’ activity.
NPO Mash rose to prominence during the Cold War as an important satellite manufacturer for Russia’s space program and as a supplier of cruise missiles.
EMAIL HACKING
The hackers broke into the company’s information technology environment, allowing them to read email traffic, transiting between networks and extracting data, according to Tom Hegel, a security researcher at US cybersecurity firm SentinelOne, who initially discovered the intrusion.
Hegel’s team of security analysts at SentinelOne learned of the hack after discovering that an NPO Mash employee had accidentally leaked the company’s internal communications while trying to investigate the North Korean attack by uploading evidence to a private portal used by digital security researchers around the world.
When contacted by Reuters, the employee declined to comment.
Two independent computer security experts, Nicholas Weaver and Matt Tait, reviewed the contents of the exposed email and confirmed its authenticity. “I am very confident that the data is authentic,” Weaver told Reuters. “How the information was exposed was an absolutely hilarious mess.”
SentinelOne said it was confident that North Korea was behind the hack because the spies reused previously known malware and malicious infrastructure set up to carry out other hacks.