Lazarus Hacks Russian Missile Maker As Moscow Begs For Ammo

An elite group of North Korean hackers covertly penetrated the networks of a major Russian missile developer for at least five months last year, according to technical evidence reviewed by Reuters and an analysis by security researchers.

Aug 8, 2023 - 15:14
 0  31
Lazarus Hacks Russian Missile Maker As Moscow Begs For Ammo

Cyber-espionage groups linked to the North Korean government, known to security researchers as ScarCruft and Lazarus, have secretly installed mysterious digital back doors at NPO Mashinostroyeniya's missile design office in Reutov, a suburb of Moscow, Reuters has found.

Reuters was unable to determine whether data was taken during the intrusion or what data may have been viewed. In the months since the hack, Pyongyang has announced several developments in its banned ballistic missile program, but it is unclear whether these were related to the breach.

Experts say the incident shows how the isolated country is targeting even its allies, such as Russia, in its quest to acquire critical technology.

Neither the NGO Mashinostroyeniya, the Russian embassy in Washington, nor the North Korean mission to the United Nations in New York responded to Reuters' request for comment. News of the hack came shortly after Russian Defense Minister Sergei Shoigu visited Pyongyang last month on the 70th anniversary of the Korean War, the first visit by a Russian defense minister to North Korea since the collapse of the Soviet Union in 1991.

Missile experts say the targeted company, commonly known as NPO Mash, pioneered hypersonic missiles, satellite technology and a new generation of ballistic weapons, three areas that have interested North Korea since it began its mission to create the Intercontinental ballistic missile. A ballistic missile (ICBM) capable of hitting the continental United States.

According to technical data, the intrusion began around the end of 2021 and continued until May 2022, when IT engineers discovered the activities of the hackers, according to internal company communications reviewed by Reuters.

During the Cold War, NPO Mash emerged as the most important satellite manufacturer and supplier of cruise missiles for the Russian space program.

Email Hacking

According to Tom Hegel, a security researcher at US cyber security firm SentinelOne, who first discovered the compromise, the hackers dug into the company's IT environment, allowing them to read email traffic, hop between networks and extract data. "These findings provide a rare look at covert cyber operations that traditionally escape the public eye or simply go unnoticed by such victims," ​​Hegel said.

SentinelOne's Hegel security analysts learned of the hack after discovering that an employee of the nonprofit Mash IT had accidentally leaked internal communications at his company while trying to investigate the North Korean attack by uploading the evidence to a private portal used by cybersecurity researchers around the world.

When contacted by Reuters, an IT person declined to comment.

The passing gave Reuters and SentinelOne a unique look at the state-critical Russian trade approved by the Obama administration after the invasion of Crimea.

Two independent security experts, Nicholas Weaver and Matt Tait, reviewed the contents of the leaked email and confirmed its authenticity. Analysts confirmed the connection by checking the email's cryptographic signatures against a set of keys controlled by NPO Mash.

"I am very confident that the information is genuine," Weaver told Reuters. "The way the information was released was absolutely ridiculous shit."

SentinelOne said it believed North Korea was behind the hack because cyber spies reused previously known malware and malicious infrastructure designed to carry out other intrusions.

"Film Stills"

In 2019, Russian President Vladimir Putin called NPO Mash's "Zircon" hypersonic rockets a "promising new product" capable of traveling at about nine times the speed of sound. Just because North Korean hackers may have obtained information about zirconium does not mean they immediately have the same capability, said Markus Schiller, a European missile expert who has studied foreign aid to North Korea's missile program.

"It's the stuff of a movie," he said. "Getting blueprints doesn't help much in building these things, there's so much more than blueprints."

However, given NPO Mash's position as Russia's leading missile designer and manufacturer, the company would be a valuable target, Schiller added.

"There's a lot to learn from them," he said.

Another interest could be the production process that NPO Mash uses around the fuel, experts said. Last month, North Korea launched the Hwasong-18, its first solid-fuel ICBM.

This method of refueling allows the missiles to be used more quickly during war because it does not require refueling at the launch pad, making it more difficult to track and destroy the missiles before they detonate.

NPO Mash produces an ICBM called the SS-19, which is fueled and sealed at the factory. This process is known as "ampouling", which produces a similar strategic result.

"It's hard to do because the rocket's propellant, especially the oxidizer, is very corrosive," said Jeffrey Lewis, a missile researcher at the James Martin Center for Nuclear Nonproliferation Studies.

"North Korea has announced that it will do the same in late 2021. If MÜT Mash had one useful thing for them, it would be at the top of my list," he added.

State-sponsored cybercriminals

North Korea is said to have around 6,000 hackers operating in more than 150 countries. 10 percent of North Korea's GDP comes from cybercrime - mainly fraud, theft and ransomware.

In 2019, a UN Security Council report stated that since 2016, North Korea has increasingly relied on hacking to generate revenue for its treasury. Most of the proceeds of these crimes are probably channeled into the country's defense budget - to finance nuclear and missile tests. Due to the government's complete control over Internet access, North Korea's cryptocurrency industry is primarily crime-related and state-sponsored. Hackers linked to the North Korean government have stolen $1.2 billion worth of cryptocurrencies, according to a report by South Korea's top intelligence agency.

According to blockchain analytics firm Elliptic, North Korea stole a total of $2.3 billion in cryptocurrencies from businesses between 2017 and 2022. The most famous North Korean hacker collective is the Lazarus Group. It is behind a number of cybercrimes around the world, including the hack of the Harmony blockchain, which resulted in the theft of $100 million worth of crypto.

What's Your Reaction?