In a high-stakes game of cyber espionage, North Korean state-sponsored hacking group ScarCruft has been implicated in a cyberattack on NPO Mashinostroyeniya, a Russian organization renowned for its design and manufacture of space rockets and intercontinental ballistic missiles. This company, whose creations are utilized by the Russian and Indian armies, has been under sanctions by the U.S. Department of Treasury since 2014 due to its involvement in the Russo-Ukrainian war.
The cyberattack, as reported by SentinelLabs, saw the hackers infiltrate NPO Mashinostroyeniya’s email server and IT systems. The hackers planted a Windows backdoor named ‘OpenCarrot’, granting them remote access to the network. ScarCruft, also known as APT37, is notorious for its cyber espionage activities, often involving surveillance and data theft from targeted organizations.
The breach was uncovered when security analysts examined an email leak from NPO Mashinostroyeniya, which contained highly confidential communications. Among these was a report from the company’s IT staff, warning of a potential cybersecurity incident in mid-May 2022. SentinelLabs used this information to launch an investigation, revealing a much more significant intrusion than the missile maker had initially realized.
The leaked emails revealed that the company’s IT staff had noticed suspicious network communication between internal devices and external servers. This discovery led to the identification of a malicious DLL installed on internal systems, prompting the company to consult their antivirus firm to understand the nature of the infection. Upon analyzing the IP addresses and other indicators of compromise found in the emails, SentinelLabs concluded that the Russian organization had been infected with the ‘OpenCarrot’ Windows backdoor.
Interestingly, ‘OpenCarrot’ has previously been associated with another North Korean hacking group, the Lazarus Group. While it remains unclear if this was a joint operation between ScarCruft and Lazarus, it’s worth noting that North Korean hackers often employ overlapping tools and tactics. The ‘OpenCarrot’ variant used in this attack was implemented as a DLL file and supports proxying communications through internal network hosts. It’s equipped with a total of 25 commands, ranging from reconnaissance and filesystem manipulation to reconfiguration and connectivity.
It also has the ability to enter a sleep state when legitimate users are active on the compromised devices and checks every 15 seconds for the insertion of new USB drives that can be exploited for lateral movement. In addition to this, SentinelLabs observed suspicious traffic from the victim’s Linux email server, which was communicating with ScarCruft infrastructure. The analysts are still working on identifying the intrusion method but have suggested the possibility of the threat actors using their signature RokRAT backdoor. The involvement of two state-supported hacking groups in this attack could suggest a calculated strategy by the North Korean state. By deploying multiple actors to infiltrate NPO Mashinostroyeniya, a significant target for espionage, the state may have been aiming to increase the odds of a successful breach.