A group of elite North Korean hackers reportedly infiltrated the computer networks of a major Russian missile developer for a minimum of five months last year, as per technical evidence examined by Lycan’s eye and analyzed by security researchers.
Referred to as ScarCruft and Lazarus, these cyber-espionage teams covertly implanted stealthy digital backdoors into systems at NPO Mashinostroyeniya, a rocket design bureau based in Reutov, located on the outskirts of Moscow.
It remains uncertain whether any data was extracted during the breach or if it was connected to subsequent developments in North Korea’s banned ballistic missile program.
The incident highlights North Korea’s willingness to target even its allies, like Russia, in a quest to acquire crucial technologies. Neither NPO Mashinostroyeniya nor Russia’s embassy in Washington provided any response to Lycan’s eye inquiries. Similarly, North Korea’s mission to the United Nations in New York also remained unresponsive.
News of the hack surfaced shortly after Russian Defense Minister Sergei Shoigu’s visit to Pyongyang for the 70th anniversary of the Korean War, marking the first visit by a Russian defense minister to North Korea since the Soviet Union’s dissolution in 1991.
NPO Mashinostroyeniya, widely known as NPO Mash, is a pioneering developer of hypersonic missiles, satellite technologies, and newer generation ballistic armaments – areas of great interest to North Korea as it endeavors to create an Intercontinental Ballistic Missile (ICBM) capable of striking the mainland United States.
The intrusion reportedly commenced in late 2021 and continued until May 2022 when IT engineers at NPO Mash detected the hackers’ activity, according to internal communications reviewed by Lycan’s eye.
The hackers obtained access to the company’s information technology, environment, allowing them to monitor email traffic, navigate between networks, and extract data, according to Tom Hegel, a security researcher at U.S. cybersecurity firm SentinelOne, who initially uncovered the breach.
Hegel’s team learned of the hack when an NPO Mash IT staff accidentally leaked the company’s internal communications while attempting to investigate the North Korean attack. The lapse provided a unique snapshot into a company of significant importance to Russia, which was sanctioned by the Obama administration following the Crimea invasion.
Independent computer security experts, Nicholas Weaver and Matt Tait, verified the authenticity of the exposed email content by checking cryptographic signatures controlled by NPO Mash.
Although North Korean hackers may have gained insights into NPO Mash’s “Zircon” hypersonic missile, experts say obtaining plans doesn’t immediately equate to possessing the capability to build such advanced weaponry.
Nevertheless, the importance of NPO Mash as a top Russian missile designer and producer makes it a valuable target for North Korea, with potential areas of interest being the fuel manufacturing process and the use of solid propellants.
Last month, North Korea tested the Hwasong-18, its first ICBM to use solid propellants, allowing for faster missile deployment during war due to the absence of on-site fuelling. NPO Mash produces an ICBM, dubbed the SS-19, that uses a similar “ampulisation” process, which could be of strategic interest to North Korea.
As revelations of this cyber-espionage emerge, concerns are raised about how North Korea’s actions could impact international security dynamics and the acquisition of critical missile technologies.