Security researchers have discovered a likely North Korean cyber-espionage campaign targeting the IT network of a Russian manufacturer of intercontinental ballistic missiles and aerospace equipment.
Leaked emails from NPO Mashinostroyeniya, which is sanctioned by the US for its role in Russia’s invasion of Ukraine, helped SentinelLabs researchers work out what had happened.
“Internal NPO Mashinostroyeniya emails show IT staff exchanged discussions highlighting questionable communications between specific processes and unknown external infrastructure,” it explained in a blog post.
“The same day, the NPO Mashinostroyeniya staff also identified a suspicious DLL file present in different internal systems. The month following the intrusion, NPO Mashinostroyeniya engaged with their AV solution’s support staff to determine why this and other activity was not detected.”
Although SentinelLabs is still unclear about the initial access vector, it claimed that North Korean actors compromised an email server at the firm and deployed a Windows backdoor dubbed “OpenCarrot” to its network.
The threat intelligence vendor attributed the attack to ScarCruft (APT37), although the OpenCarrot backdoor is more commonly associated with another Pyongyang group: Lazarus.
The backdoor features a wide range of functionality to support reconnaissance, file system and process manipulation, and reconfiguration/connectivity, the report claimed.
“As a feature-rich, configurable, and versatile backdoor, the malware is a strong enabler of the group’s operations. With a wide range of supported functionality, OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network,” SentinelLabs explained.
“The OpenCarrot variant we analyzed supports proxying C2 communication through the internal network hosts and directly to the external server, which supports the strong possibility of a network-wide compromise.”
It’s no secret that the Kim Jong-un regime is developing a nuclear and missile program, using billions stolen from crypto firms and banks over the years. It follows that the hermit nation would also use cyber-espionage to access vital intellectual property in order to advance its plans.