North Korean Hackers Penetrate Computers of Top Russian Missile Maker

According to Reuters and security researchers, an elite gang of North Korean hackers surreptitiously penetrated computer networks at a key Russian missile maker for at least five months last year.

Reuters discovered cyber-espionage teams linked to the North Korean government, known as ScarCruft and Lazarus, stealthily installing stealthy digital backdoors into systems at NPO Mashinostroyeniya, a rocket design firm situated in Reutov, a small village on the outskirts of Moscow.

Reuters was unable to determine whether any data was taken or what information was read during the attack. Pyongyang announced many breakthroughs in its banned ballistic missile programme in the months following the computer intrusion, although it is unclear whether these were related to the breach.

According to experts, the incident demonstrates how the isolated country will even attack its allies, such as Russia, in order to obtain crucial technologies.

NPO Mashinostroyeniya did not answer to requests for comment from Reuters. The Russian embassy in Washington did not respond to an email seeking comment. North Korea’s UN mission in New York did not respond to a request for comment.

The intrusion comes shortly after Russian Defence Minister Sergei Shoigu visited Pyongyang last month for the 70th anniversary of the Korean War, the first visit by a Russian defence minister to North Korea since the Soviet Union’s dissolution in 1991.

According to missile experts, the targeted company, known as NPO Mash, has been a pioneer developer of hypersonic missiles, satellite technologies, and newer generation ballistic armaments – three areas of keen interest to North Korea since it embarked on its mission to develop an Intercontinental Ballistic Missile (ICBM) capable of striking the mainland United States.

According to technical data, the intrusion began in late 2021 and lasted until May 2022, when IT engineers identified the hackers’ activity, according to internal corporate messages obtained by Reuters.

During the Cold War, NPO Mash rose to prominence as a leading satellite manufacturer for Russia’s space programme and a cruise missile supplier.

According to Tom Hegel, a security researcher with the U.S. cybersecurity firm SentinelOne, who detected the penetration, the hackers penetrated into the company’s IT system, giving them the ability to read email traffic, jump between networks, and extract data.

“These findings provide a rare glimpse into the clandestine cyber operations that have traditionally remained hidden from public scrutiny or are simply never detected by such victims,” Hegel added.

SentinelOne’s security analysts discovered the hack after a NPO Mash IT staffer accidentally leaked his company’s internal communications while attempting to investigate the North Korean attack by uploading evidence to a private portal used by cybersecurity researchers worldwide.

Reuters reached out to the IT staffer, who declined to comment.

The lapse gave Reuters and SentinelOne with a rare glimpse into a critical Russian state enterprise that was sanctioned by the Obama administration following the invasion of Crimea.

Nicholas Weaver and Matt Tait, two independent computer security professionals, analysed the disclosed email content and confirmed its validity. The analysts confirmed the relationship by comparing the digital signatures in the email to a set of keys possessed by NPO Mash.

“I’m very confident the data is genuine,” Weaver told Reuters. “How the information was exposed was a completely hilarious blunder.”

SentinelOne believes North Korea was responsible for the hack because the cyber spies reused previously known malware and malicious infrastructure put up to carry out earlier assaults.

In 2019, Russian President Vladimir Putin described NPO Mash’s “Zircon” hypersonic missile as a “promising new product” capable of moving at around nine times the speed of sound.

The fact that North Korean hackers received information about the Zircon does not mean they would immediately have that capability, according to Markus Schiller, a missile analyst based in Europe who has investigated foreign aid to North Korea’s missile programme.

“That’s movie stuff,” he pointed out. “Getting plans won’t help you much when it comes to building these things; there’s a lot more to it than some drawings.”

However, considering NPO Mash’s status as a leading Russian missile inventor and manufacturer, the business would be a valuable target, according to Schiller.

“There is much to learn from them,” he remarked.

According to analysts, another area of interest could be in NPO Mash’s fuel producing process. North Korea tested the Hwasong-18, its first ICBM to employ solid propellants, last month.

Because it does not require fueling on a launchpad, this fueling method allows for speedier deployment of missiles during combat, making the missiles more difficult to track and destroy before blast-off.

NPO Mash manufactures the SS-19, an ICBM that is fuelled in the factory and sealed shut, a procedure known as “ampulisation” that produces a comparable strategic result.

“It’s difficult because rocket propellant, particularly the oxidizer, is extremely corrosive,” said Jeffrey Lewis, a missile expert at the James Martin Centre for Nonproliferation Studies.

“North Korea announced in late 2021 that it would do the same thing.” “If NPO Mash had one thing useful for them, that would be at the top of my list,” he continued.
James Pearson in London and Christopher Bing in Washington contributed reporting, and Chris Sanders and Alistair Bell edited the piece.