Two North Korean hacker groups had access to the internal systems of a Russian missile and satellite developer NPO Mashinostoyeniya for five to six months in 2022, according to research by cybersecurity firm SentinelOne.
Two separate instances of North Korea-related compromises were identified by SentinelLabs — the threat intelligence and malware analysis arm of SentinelOne — giving access to sensitive internal IT infrastructure within this same Russian defense industrial base (DIB) organization.
The compromises included one in the DIB’s specific email server and a Windows backdoor malware, dubbed OpenCarrot. OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network.
“Our analysis attributes the email server compromise to the ScarCruft threat actor,” SentinelOne said in a blog post. “We also identify the separate use of a Lazarus group backdoor for compromise of their internal network.”
Evidence was detected accidentally
SentinelOne revealed that it accidentally ran into the evidence of the intrusion while hunting and tracking suspected North Korean threat actors.
“(We) identified a leaked email collection containing an implant with characteristics related to previously reported DPRK-affiliated threat actor campaigns,” SentinelOne said. “We are highly confident that the emails related to this activity originate from the victim organization, NPO Mashinostroyeniya.”
The leaked emails in question date back to mid-May 2022, a week after Russia vetoed a resolution to impose new sanctions on North Korea for intercontinental ballistic missile launches.
Internal NPO Mashinostroyeniya emails show IT staff exchanged discussions highlighting questionable communications between specific processes and unknown external infrastructure, according to SentinelLabs.
“The same day, the NPO Mashinostroyeniya staff also identified a suspicious DLL file present in different internal systems,” SentinelOne added.
The discovered emails were likely leaked accidentally or resulted from activities unrelated to the NPO Mash intrusion as the leaked data comprises a substantial volume of emails unrelated to the research scope, SentinelOne said.
Compromise of Linux-based email server
After examining the emails and investigating the two separate sets of suspicious activities, questionable communications, and the DLL implant, SentinelOne was able to establish a correlation between them and a respective threat actor.
The cybersecurity firm discovered that the suspicious network traffic discussed in emails is the compromise of the business’ Linux email server, hosted publicly at (
185.24.244[.]11). “At the time of discovery, the email server was beaconing outbound to the infrastructure we now attribute to the ScarCruft threat actor,” SentinelOne said.
“The internal host, the organization’s Red Hat email server, was actively compromised and in communication with the attackers’ malicious infrastructure,” SentinelOne said. “A review of all details concludes the threat actor was likely operating on this server for an extensive period of time prior to the internal team’s discovery.”
ScarCruft group, also referred to as Inky Squid, APT37, or Group123, is commonly attributed to North Korea’s state-sponsored activity, targeting high-value individuals and organizations globally.
Although SentinelOne was unable to confirm the initial access method and the implant running on the email server at the time of discovery, it has linked the tooling and techniques used to previous ScarCruft activities using the RokRAT backdoor.
Involvement of Lazarus group
The second part of the intrusion, the DLL implant, was attributed to another North Korea-related cybercrime group, the Lazarus group.
“During our investigation, we identified the suspicious file in question to be a version of the OpenCarrot Windows OS backdoor, previously identified by IBM XForce as part of Lazarus group activities,” SentinelOne said.
The analyzed OpenCarrot sample was implemented as a Windows service DLL file, intended to execute persistently, according to the firm.
The discovered OpenCarrot variant implements over 25 backdoor commands with a wide range of functionality representative of Lazarus group backdoors. Specific functionalities supported in this campaign included reconnaissance, filesystem and process manipulation, reconfiguration, and C2 connectivity. In line with the usual methods of the Lazarus group, OpenCarrot undergoes ongoing alterations that may not always be incremental.
Go to Source