North Korean Hackers ‘Scarcruft’ Breached Russian Missile Maker

Cyber Security Threat Summary:
The cyberattack on the IT systems and email server of NPO Mashinostroyeniya, a Russian organization specializing in space rocket design and intercontinental ballistic missile engineering, has been attributed to the North Korean state sponsored hacking group ScarCruft. This group has a history of engaging in cyber activities with links to various targets. NPO Mashinostoyeniya, which is involved in the development and production of orbital vehicles, spacecraft, and defense missiles, has faced scrutiny due to its contributions to the Russo-Ukrainian conflict, leading to sanctions by the US Department of Treasury.

Yesterday, Sentinel Labs confirmed that ScarCruft is behind the hack of NPO Mashinostroyeniya's email server and IT systems. The threat actors utilized a Windows backdoor named 'OpenCarrot' for remote access to the network. ScarCruft is a cyberespionage group known to surveil and steal data from organizations. At this time the main purpose of the attack is unclear. Open Carrot, a sophisticated backdoor malware previously associated with the Lazarus Group, a North Korean hacking entity, boasts an array features. While it remains uncertain whether ScarCruft and Lazarus collaborated on this endeavor, it’s not uncommon for North Korean cyber operatives to share tools and methods with other state backed threat actors in the region.

“The variant of OpenCarrot used in this particular attack was implemented as a DLL file, supports proxying communications through internal network hosts.

The backdoor supports a total of 25 commands, including:

  • Reconnaissance: File and process attribute enumeration, scanning, and ICMP-pinging hosts in IP ranges for open TCP ports and availability.
  • Filesystem and process manipulation: Process termination, DLL injection, file deletion, renaming, and timestamping.
  • Reconfiguration and connectivity: Managing C2 communications, including terminating existing and establishing new comms channels, changing malware configuration data stored on the filesystem, and proxying network connections.
When legitimate users on the compromised devices become active, OpenCarrot automatically enters a sleep state and checks every 15 seconds for the insertion of new USB drives that can be laced and used for lateral movement. Simultaneously, SentinelLabs saw evidence of suspicious traffic originating from the victim's Linux email server, which was beaconing outbound to ScarCruft infrastructure.” (BleepingComputer, 2023).

Security Officer Comments:
The breach was discovered when security experts scrutinized an email leak originating from NPO Mashinostroyeniya. The leak contained extremely sensitive correspondences, including a report from the IT team cautioning about a potential cyber incident in May 2022. SentinelLabs employed the insights from the emails to initiate an investigation. This investigation unveiled a notably larger scale breach than what the missile manufacturer had initially perceived. The analysts are currently in the process of deciphering the initial access vector while acknowledging the potential use of the distinctive RokRAT backdoor by the threat actors. Also, the involvement of two state supported hacking groups could indicate a deliberate strategy by the North Korean state to amplify the probability of a successful breach.