According to technical evidence examined by Reuters and analysis conducted by security researchers, a select group of North Korean hackers covertly infiltrated computer networks belonging to a significant Russian missile developer for a period spanning at least five months in the previous year.

As per reports, Reuters discovered that cyber-espionage units associated with the North Korean government, referred to as ScarCruft and Lazarus by security experts, clandestinely introduced discreet digital back doors into the systems of NPO Mashinostroyeniya. This rocket design bureau is located in Reutov, a small town situated on the outskirts of Moscow.

However, Reuters was unable to ascertain whether any data was extracted during the breach or what specific information might have been accessed. Notably, in the months subsequent to the digital intrusion, Pyongyang made announcements regarding advancements in its prohibited ballistic missile program, although it remains uncertain whether these developments were connected to the breach. Experts have pointed out that this incident underscores the isolated country's willingness to target even its allies, such as Russia, in its quest to acquire essential technologies.

Remarkably, this revelation comes shortly after Russian defense minister Sergei Shoigu's visit to Pyongyang last month, coinciding with the 70th anniversary of the Korean War. This marked the initial visit by a Russian defense minister to North Korea since the dissolution of the Soviet Union in 1991. Notably, NPO Mashinostroyeniya, Russia's embassy in Washington, and North Korea's mission to the United Nations in New York have yet to respond to requests for comments regarding the hack.

The company under attack, commonly referred to as NPO Mash, has long been recognized as a trailblazing developer in the domains of hypersonic missiles, satellite technologies, and advanced ballistic armaments. These are fields that hold significant appeal for North Korea, particularly as it seeks to develop an Intercontinental Ballistic Missile (ICBM) capable of targeting the mainland United States.

The breach started in late 2021 and lasted until May 2022, as per internal communications. IT engineers at NPO Mash discovered the hackers' activities. The intrusion compromised NPO Mash's IT environment, granting access to emails, networks, and data extraction. SentinelOne's Tom Hegel verified the breach.

 “These findings provide rare insight into the clandestine cyber operations that traditionally remain concealed from public scrutiny or are simply never caught by such victims,” Hegel said.

SentinelOne's security team, led by Hegel, discovered the hack after stumbling upon leaked internal communications from an NPO Mash IT staff member investigating the North Korean cyber attack. The staffer unintentionally uploaded evidence to a private cybersecurity research portal. Reuters contacted the staffer, who declined to comment.

This oversight provided a unique glimpse into a critical Russian entity, NPO Mash, previously sanctioned by the Obama administration after the Crimea invasion. Independent experts Weaver and Tait authenticated the leaked emails by cross-referencing cryptographic signatures with NPO Mash's controlled keys.

“I’m highly confident the data’s authentic,” Weaver told Reuters. “How the information was exposed was an absolutely hilarious screw-up. That’s movie stuff,” he said. “Getting plans won’t help you much in building these things, there is a lot more to it than some drawings”.

However, given NPO Mash’s position as a top Russian missile designer and producer, the company would be a valuable target, Schiller added. “There is much to learn from them,” he said.

NPO Mash's manufacturing process, particularly its fuel production, could be of interest. North Korea recently test-launched the Hwasong-18, its first ICBM using solid propellants. This method enables quicker missile deployment during war complicating tracking and destruction. NPO Mash's sealed-fuel ICBM, SS-19, follows a similar process, potentially valuable to North Korea's efforts.

The presence of a Russian military jet in North Korea has also raised concerns about weapons exchange between Kim Jong-un and Vladimir Putin, as their ties strengthen. The Ilyushin IL-62M flew from Moscow to Pyongyang, staying for around 36 hours. The flight, the first of its kind since 2019, has garnered attention, with neither country providing information about it.

Image source: South China Morning Post