Rewterz Threat Alert – Russian Missile Manufacturer Targeted in Cyber Intrusion Linked to North Korean Threat Actor ‘ScarCruft’ – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have linked a significant cyber compromise of NPO Mashinostroyeniya, a major Russian missile engineering company, to two distinct North Korea-affiliated Advanced Persistent Threat (APT) groups. NPO Mashinostroyeniya, a prominent Russian manufacturer of missiles and military spacecraft, has been targeted. The firm had been previously sanctioned by the U.S. Treasury Department in 2014 for its support of the Russian government’s actions in destabilizing eastern Ukraine and its occupation of Crimea.

In this recent incident, two instances of compromise were detected related to North Korea. These cyber threat actors breached the company’s sensitive internal IT infrastructure, including an email server, and were found using a Windows backdoor named OpenCarrot.

The attack’s attribution indicates that the mail server breach was executed by the ScarCruft APT group, while the OpenCarrot backdoor was linked to the Lazarus group. However, it is unclear whether these two North Korean groups collaborated in a joint cyberespionage effort against the Russian firm.

“Our analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the separate use of a Lazarus Group backdoor for compromise of their internal network.”

The objective of the cyber intrusion was to steal highly confidential intellectual property related to sensitive missile technology. This technology is currently in use and under development for the Russian military. The breach was discovered during routine monitoring of suspected North Korean APT activities. The researchers found a leaked email collection containing an implant associated with North Korean groups, along with information stolen from NPO Mashinostroyeniya.

The intrusion was identified by the Russian company’s IT staff in May 2022. This detection coincided with Russia’s veto of a U.N. resolution aimed at imposing new sanctions on North Korea for its intercontinental ballistic missile launches capable of carrying nuclear weapons. The victim organization internally flagged the intrusion and detected questionable communications between specific processes and unknown external infrastructure. Additionally, a suspicious Dynamic Link Library (DLL) file was identified within different internal systems.

The Windows backdoor, OpenCarrot, was initially detected by IBM XForce and supports various functionalities. The analyzed variant supports Command and Control (C2) communication proxying through internal network hosts to external servers, indicating its use in potentially network-wide compromise attacks. The exact method of the initial attack vector remains unknown, but researchers speculate that the victim was targeted with spear-phishing messages aimed at delivering the RokRAT backdoor.

Furthermore, upon a more detailed examination of the attack infrastructure, it has come to light that two domains, namely centos-packages[.]com and redhat-packages[.]com, share resemblances with the nomenclature employed by the threat actors during the JumpCloud hack that occurred in June 2023.

Researchers attribute the intrusion to North Korean threat actors with a high level of confidence. This incident highlights North Korea’s proactive efforts to covertly advance its missile development objectives, evident through their direct compromise of a Russian Defense-Industrial Base (DIB) organization. The convergence of North Korean cyber threat actors underscores the need for comprehensive global monitoring due to its significant implications.

“This incident stands as a compelling illustration of North Korea’s proactive measures to covertly advance their missile development objectives, as evidenced by their direct compromise of a Russian Defense-Industrial Base (DIB) organization,” they conclude.

Impact

• IT Infrastructure Compromise
• Email Server Compromise
• Exposure to Sensitive Data

Indicators of Compromise

Domain Name

• redhat-packages.com
• centos-packages.com
• dallynk.com
• yolenny.com
• 606qipai.com
• asplinc.com
• bsef.or.kr

MD5

• 9216198a2ebc14dd68386738c1c59792
• 6ad6232bcf4cef9bf40cbcae8ed2f985
• d0f6cf0d54cf77e957bce6dfbbd34d8e
• 921aa3783644750890b9d30843253ec6
• 0b7dad90ecc731523e2eb7d682063a49
• 516beb7da7f2a8b85cb170570545da4b

SHA-256

• 125dde6564589bc5284f244e7c6f49b7b8b1be9c8fdd4c5f29d88b000bb15314
• bd4ef6fae7f29def8e5894bf05057653248f009422de85c1e425d04a0b2df258
• a81b38cda1ad1a1ed2cfc9647e678831fe77500da8ce095667ca5a7d93f8e732
• 8600a593750580cee7240af4069685e8c2a1683d84652122fcdf6a478e5a4e93
• 9022fdb62a8eaf8fe688d07b4b2791e662cf7aac770da3795b92650dff6af4cb
• 5345ac8130adb752a0bd8224969f0ced0172f2fce5aa39a90f3075e75ad50767

SHA-1

• 07b494575d548a83f0812ceba6b8d567c7ec86ed
• 2217c29e5d5ccfcf58d2b6d9f5e250b687948440
• 246018220a4f4f3d20262b7333caf323e1c77d2e
• 8b6ffa56ca5bea5b406d6d8d6ef532b4d36d090f
• f483c33acf0f2957da14ed422377387d6cb93c4d
• f974d22f74b0a105668c72dc100d1d9fcc8c72de

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies
• Enable two-factor authentication
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets.
• Deploy advanced threat detection solutions that can identify and analyze suspicious activities, patterns, and behaviors across your network and endpoints. Utilize intrusion detection systems (IDS), intrusion prevention systems (IPS), and next-generation firewalls to proactively monitor and block malicious activities.
• Implement network segmentation to compartmentalize sensitive systems and data.
• Strengthen email security protocols to identify and block phishing attempts. Train employees to recognize suspicious emails and attachments, and employ email filtering technologies to reduce the likelihood of successful spear-phishing attacks.
• Regularly update and patch all software, applications, and operating systems to minimize potential entry points for cyber attackers.
• Enforce MFA across your organization to add an extra layer of security to user accounts and critical systems.
• Deploy advanced endpoint security solutions that offer real-time threat detection and response. This includes antivirus software, endpoint detection and response (EDR) tools, and behavioral analysis to identify suspicious activities.
• Ensure that systems are securely configured and hardened following industry best practices. Disable unnecessary services, ports, and protocols to reduce the attack surface.
• Develop and regularly update an incident response plan that outlines the steps to be taken in the event of a cyber attack. This plan should include communication protocols, roles and responsibilities, and procedures for containing and mitigating the attack.
• Conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses in your systems and infrastructure.
• Assess the security practices of third-party vendors and suppliers who have access to your network. Ensure they adhere to robust cybersecurity standards to prevent potential supply chain attacks.