North Korean Cybercriminals Conduct Intrusion on Russian Missile Firm

Two distinct North Korean nation-state actors have been implicated in a cyber intrusion targeting NPO Mashinostroyeniya, a prominent Russian missile engineering firm. The breach was uncovered by SentinelOne, a cybersecurity company, which involved the compromise of sensitive internal IT infrastructure through an email server and the deployment of a Windows backdoor known as OpenCarrot.

The North Korean Attack Details

The breach of the Linux email server has been attributed to the ScarCruft group, also known as APT37, which operates under the Ministry of State Security (MSS) in North Korea. Moreover, the deployment of the OpenCarrot Windows backdoor has been linked with the Lazarus Group. It is a faction of Lab 110 under the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence service. These attacks were identified in mid-May 2022. Still, the exact methods used to breach the email server and deliver OpenCarrot remain unknown.

Meanwhile, ScarCruft is known for employing social engineering techniques to deliver backdoors like RokRat. Notably, the investigation into the attack infrastructure revealed two domains, centos-packages[.]com and redhat-packages[.]com, which bear similarities to the domains used by the same threat actors in the JumpCloud hack in June 2023.


This rare convergence of two North Korean independent threat activity clusters targeting the same entity signifies a highly strategic espionage mission. Because the compromised missile engineering firm, NPO Mashinostroyeniya, plays a vital role in Russia’s defense and missile development, making it a valuable target for espionage.

OpenCarrot’s Capabilities

OpenCarrot, the Windows backdoor used in the attacks, is designed as a dynamic-link library (DLL) and supports over 25 commands. These commands enable the threat actors to execute reconnaissance, manipulate file systems and processes, and manage various communication mechanisms. Along with that, the backdoor empowers the attackers to gain complete control over infected machines and coordinate multiple infections across a local network.

A Covert Advancement of Missile Development Objectives of North Korea

The intrusion into NPO Mashinostroyeniya demonstrates North Korea’s proactive efforts to clandestinely advance its missile development goals. Because the breach directly targeted a significant Russian Defense-Industrial Base (DIB) organization, underscoring the nation’s commitment to acquiring sensitive military technology and information.

All in all, the use of sophisticated tools like OpenCarrot highlights the growing capabilities of threat actors, underscoring the need for robust cybersecurity measures to protect sensitive industries and defense establishments.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

Zero-Day Vulnerabilities in Atera’s Windows Installers: The Risks of Privilege Escalation

Snatch Ransomware Group Targets Department of Defence South Africa

How Google TAG’s Powerful Defense Is Stopping North Korean Hackers

First Known Targeted OSS Supply Chain Attacks Against The Banking Sector