North Korean hackers breached top Russian missile maker
Send a link to a friend
[August 07, 2023]
By James Pearson and Christopher Bing
LONDON/WASHINGTON (Reuters) - An elite group of North Korean hackers
secretly breached computer networks at a major Russian missile developer
for at least five months last year, according to technical evidence
reviewed by Reuters and analysis by security researchers.
Reuters found cyber-espionage teams linked to the North Korean
government, which security researchers call ScarCruft and Lazarus,
secretly installed stealthy digital backdoors into systems at NPO
Mashinostroyeniya, a rocket design bureau based in Reutov, a small town
on the outskirts of Moscow.
Reuters could not determine whether any data was taken during the
intrusion or what information may have been viewed. In the months
following the digital break-in Pyongyang announced several developments
in its banned ballistic missile program but it is not clear if this was
related to the breach.
Experts say the incident shows how the isolated country will even target
its allies, such as Russia, in a bid to acquire critical technologies.
NPO Mashinostroyeniya did not respond to requests from Reuters for
comment. Russia's embassy in Washington did not respond to an emailed
request for comment. North Korea's mission to the United Nations in New
York did not respond to a request for comment.
News of the hack comes shortly after a trip to Pyongyang last month by
Russian defence minister Sergei Shoigu for the 70th anniversary of the
Korean War; the first visit by a Russian defence minister to North Korea
since the 1991 breakup of the Soviet Union.
The targeted company, commonly known as NPO Mash, has acted as a pioneer
developer of hypersonic missiles, satellite technologies and newer
generation ballistic armaments, according to missile experts – three
areas of keen interest to North Korea since it embarked on its mission
to create an Intercontinental Ballistic Missile (ICBM) capable of
striking the mainland United States.
According to technical data, the intrusion roughly began in late 2021
and continued until May 2022 when, according to internal communications
at the company reviewed by Reuters, IT engineers detected the hackers'
activity.
NPO Mash grew to prominence during the Cold War as a premier satellite
maker for Russia's space programme and as a provider of cruise missiles.
EMAIL HACK
The hackers dug into the company's IT environment, giving them the
ability to read email traffic, jump between networks, and extract data,
according to Tom Hegel, a security researcher with U.S. cybersecurity
firm SentinelOne, who initially discovered the compromise.
"These findings provide rare insight into the clandestine cyber
operations that traditionally remain concealed from public scrutiny or
are simply never caught by such victims," Hegel said.
Hegel's team of security analysts at SentinelOne learned of the hack
after discovering that an NPO Mash IT staffer accidentally leaked his
company's internal communications while attempting to investigate the
North Korean attack by uploading evidence to a private portal used by
cybersecurity researchers worldwide.
[to top of second column]
|
When contacted by Reuters, that IT staffer declined to comment.
The lapse provided Reuters and SentinelOne with a unique snapshot
into a company of critical importance to the Russian state which was
sanctioned by the Obama administration following the invasion of
Crimea.
Two independent computer security experts, Nicholas Weaver and Matt
Tait, reviewed the exposed email content and confirmed its
authenticity. The analysts verified the connection by checking the
email's cryptographic signatures against a set of keys controlled by
NPO Mash.
"I'm highly confident the data's authentic," Weaver told Reuters.
"How the information was exposed was an absolutely hilarious
screwup".
SentinelOne said they were confident North Korea was behind the hack
because the cyber spies re-used previously known malware and
malicious infrastructure set up to carry out other intrusions.
'MOVIE STUFF'
In 2019, Russian President Vladimir Putin touted NPO Mash's "Zircon"
hypersonic missile as a "promising new product", capable of
travelling at around nine times the speed of sound.
The fact North Korean hackers may have obtained information about
the Zircon does not mean they would immediately have that same
capability, said Markus Schiller, a Europe-based missile expert who
has researched foreign aid to North Korea's missile programme.
"That's movie stuff," he said. "Getting plans won't help you much in
building these things, there is a lot more to it than some
drawings".
However, given NPO Mash's position as a top Russian missile designer
and producer, the company would be a valuable target, Schiller
added.
"There is much to learn from them," he said.
Another area of interest could be in the manufacturing process used
by NPO Mash surrounding fuel, experts said. Last month, North Korea
test-launched the Hwasong-18, the first of its ICBMs to use solid
propellants.
That fuelling method can allow for faster deployment of missiles
during war, because it does not require fuelling on a launchpad,
making the missiles harder to track and destroy before blast-off.
NPO Mash produces an ICBM dubbed the SS-19 which is fuelled in the
factory and sealed shut, a process known as "ampulisation" that
yields a similar strategic result.
"It's hard to do because rocket propellant, especially the oxidiser,
is very corrosive," said Jeffrey Lewis, a missile researcher at the
James Martin Center for Nonproliferation Studies.
"North Korea announced that it was doing the same thing in late
2021. If NPO Mash had one useful thing for them, that would be top
of my list," he added.
(Reporting by James Pearson in London and Christopher Bing in
Washington; editing by Chris Sanders and Alistair Bell)
[© 2023 Thomson Reuters. All rights
reserved.]This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |