This article delves into the key findings, attributions, and the intricate details surrounding this cyber espionage campaign, shedding light on the involvement of North Korean threat actors.
I. Executive Summary
SentinelLabs uncovered an intrusion into the Russian defense industrial base, specifically targeting NPO Mashinostroyeniya, a missile engineering organization. The investigation reveals two instances of compromise, including the use of a Windows backdoor named OpenCarrot. The analysis attributes the compromise of the email server to the ScarCruft threat actor, while a Lazarus Group backdoor is identified for internal network compromise. The nature of the relationship between these two threat actors remains uncertain, highlighting the complexity of the cyber landscape.
II. Background: North Korean Threat Actors on the Radar
Over the past year, North Korean threat actors have garnered attention for various campaigns, showcasing new tools, supply chain intrusions, multi-platform targeting, and sophisticated social engineering tactics. This intrusion into NPO Mashinostroyeniya provides a unique glimpse into a strategic cyber espionage mission, supporting North Korea’s missile program, adding a new dimension to their evolving capabilities.
III. The Target Organization: NPO Mashinostroyeniya
NPO Mashinostroyeniya, a leading Russian manufacturer of missiles and military spacecraft, becomes the focal point of the cyber intrusion. With a parent company, JSC Tactical Missiles Corporation KTRV, the organization holds highly confidential intellectual property related to sensitive missile technology. The leaked email collection serves as a crucial backdrop, offering insights into the organization’s internal network, security gaps, and potential activities by other threat actors.
IV. Discovery and Timeline of the Intrusion
The intrusion was flagged internally by NPO Mashinostroyeniya in mid-May 2022, shortly before Russia’s veto on U.N. sanctions against North Korea. Suspicious communications between processes and unknown external infrastructure triggered the investigation. The analysis spans the discovery of a suspicious DLL file to engagement with the antivirus solution’s support staff. The timeline highlights the organization’s proactive response to the intrusion, showcasing the evolving nature of cyber threats.
V. North Korean Overlap: ScarCruft and Lazarus Group
During the investigation, a version of the OpenCarrot Windows OS backdoor, linked to Lazarus Group activities, is identified. Simultaneously, compromise of the business’s Linux email server is attributed to ScarCruft, a North Korean-affiliated threat actor known for state-sponsored activities globally. The article explores the characteristics of the OpenCarrot backdoor and its role in the compromise, providing insights into the tactics and techniques employed by these threat actors.
VI. Infrastructure Analysis and Connections
A detailed examination of the infrastructure used in the intrusion provides critical insights. The compromised email server communicated with infrastructure associated with ScarCruft, showcasing the global reach of North Korean threat actors. The analysis delves into the infrastructure’s evolution, pausing during the victim organization’s discovery, and subsequent reactivation, highlighting the threat actor’s adaptability and strategic maneuvering.
VII. Attribution and Relationships
In the intricate landscape of cyber espionage, establishing attribution and understanding the relationships between threat actors is a complex endeavor. The NPO Mashinostroyeniya intrusion, orchestrated by North Korean-affiliated threat actors, unfolds a narrative of strategic cyber operations with implications reaching beyond the immediate compromise. This section delves deeper into the attribution process, explores the potential relationships between threat actors, and underscores the significance of this interconnected web of cyber activities.
A. Attribution Challenges in Cyberspace
Attributing cyber incidents to specific threat actors is inherently challenging, given the clandestine and deceptive nature of cyber operations. The use of false flags, proxy servers, and sophisticated techniques often obscures the true identity of threat actors. In the case of the NPO Mashinostroyeniya intrusion, SentinelLabs navigated these challenges to attribute the incident to North Korean threat actors. The analysis involved a meticulous examination of malware characteristics, infrastructure, and tactics employed during the intrusion.
B. North Korean Nexus: ScarCruft and Lazarus Group
The attribution of the email server compromise to the ScarCruft threat actor and the identification of the OpenCarrot backdoor linked to Lazarus Group activities provide a snapshot of North Korean involvement. ScarCruft, also known as Inky Squid, APT37, or Group123, is a threat actor associated with state-sponsored activities targeting high-value individuals and organizations globally. Lazarus Group, on the other hand, has gained notoriety for its involvement in cyber operations with a focus on financial institutions and geopolitical interests.
C. Overlapping Infrastructure: Shared Resources or Autonomous Operations?
The identification of overlapping infrastructure used by ScarCruft and Lazarus Group raises questions about the potential relationships between these distinct threat actors. One plausible scenario is the sharing of resources, infrastructure, or even access to victim networks. This could suggest a coordinated effort, pooling capabilities for a more significant impact. However, an alternative perspective acknowledges the possibility of independent, autonomous operations. The assignment of the intrusion into NPO Mashinostroyeniya might have attracted multiple threat actors due to its perceived significance, leading to parallel and uncoordinated cyber activities.
D. Tasking and Significance of the Target
Understanding the tasking—what objectives or goals prompted the intrusion—and the perceived significance of the target is pivotal in unraveling the relationships between threat actors. The Russian defense industrial base, particularly a missile engineering organization like NPO Mashinostroyeniya, represents a high-profile target. The potential sharing of this task among multiple threat actors underscores its strategic importance. Tasking considerations may involve intelligence gathering, technological espionage, or geopolitical motives, providing a nuanced understanding of the relationships between North Korean threat actors.
VIII. OpenCarrot Backdoor: Features and Functionality
A detailed analysis of the OpenCarrot backdoor sheds light on its features and functionality. As a versatile and configurable malware, it enables full compromise of infected machines and coordination of multiple infections across a local network. The article explores the reconnaissance, filesystem manipulation, and reconfiguration capabilities of OpenCarrot, providing a comprehensive understanding of its role in the cyber intrusion.
IX. Conclusion: Mitigating a Global Menace
The conclusive section emphasizes the significance of addressing the evolving threat posed by North Korean cyber threat actors. The intrusion into NPO Mashinostroyeniya serves as a compelling example of their proactive measures to advance missile development objectives covertly. The article calls for global vigilance, strategic response, and collaborative efforts to mitigate the impact of this complex and consequential cyber menace.
