North Korean cyber espionage: Attack on sanctioned Russian missile company
North Korean threat actors have garnered the attention of the security community over the past year, providing valuable insight into a variety of campaigns such as: New intelligence tools, new supply chain attacks, elusive cross-platform attacks, and new sophisticated social engineering tactics. Building on that, SentinelLabs, SentinelOne’s research division, has shed light on the new compromise that could be described as a strategic spy mission – support for North Korea’s controversial missile program.
The target organization
In the usual pursuit of suspected North Korean threat actors , security researchers uncovered an email collection that contained features linked to previously reported campaigns by North Korean threat actors. A thorough examination of the email archive revealed a major compromise that was not fully recognized by the targeted organization at this time.
The company involved is NPO Mashinostroyeniya (JSC MIC Mashinostroyenia, NPO Mash), a leading Russian manufacturer of missiles and military spacecraft. The parent company of the company is JSC Tactical Missiles Corporation KTRV (Russian: АО “Корпорация Тактическое Ракетное Вооружение”, КТРВ). It is an internationally sanctioned entity that owns highly confidential intellectual property rights to sensitive missile technology currently in use or under development for the Russian military.
Technical background
The security experts are very confident that the emails related to this activity came from the victim organization. Furthermore, there are no recognizable signs of tampering or technically verifiable inaccuracies. It is important to highlight that the leaked data includes a significant amount of emails unrelated to the currently investigated area. This indicates that the leak was likely accidental or the result of activities unrelated to the analyzed intrusion. Nonetheless, this collection provides valuable background information for our understanding of the internal network design, security vulnerabilities, and what other attackers are doing.
In mid-May 2022, about a week before Russia vetoed a UN resolution imposing new sanctions on North Korea for launching ICBMs that could deliver nuclear weapons, the organization concerned reported the attack internally. Internal emails from NPO Mashinostroyeniya show IT staff engaged in discussions that pointed to questionable communication between certain processes and unknown external infrastructure. On the same day, NPO Mashinostroyeniya employees also discovered a suspicious DLL file in various internal systems. A month after the intrusion, NPO Mashinostroyeniya contacted their AV solution’s support staff to find out why this and other activities weren’t being detected.
After a review of the emails and an in-depth investigation of the two separate sets of suspicious activity, each set of activity was successfully correlated with a corresponding threat actor representing a more significant intrusion into the network than the victim organization realized. This intrusion provides a rare glimpse into sensitive North Korean cyber espionage campaigns and offers an opportunity to broaden our understanding of the relationships and objectives between various cyber threat actors.
Conclusion
There is a high probability that this intrusion was due to threat actors associated with North Korea. This incident is a compelling example of North Korea’s proactive efforts to covertly promote its missile development goals, as evidenced by the direct compromise of a Russian Defense-Industrial Base (DIB) organization. The convergence of North Korean cyber threat actors poses a large-scale threat that warrants extensive global surveillance. These actors act together as a cohesive cluster and run a variety of campaigns motivated by different factors. In view of these findings, it is crucial to
