North Korean hackers ‘breach top Russian missile maker’
- Cyber-espionage teams secretly installed ‘digital back doors’ into systems at a rocket design bureau near Moscow, says Reuters
- Experts say incident shows how the isolated country will even target its allies, such as Russia, in a bid to acquire critical technologies
Reuters found cyber-espionage teams linked to the North Korean government – which security researchers call ScarCruft and Lazarus – secretly installed stealthy digital back doors into systems at NPO Mashinostroyeniya, a rocket design bureau based in Reutov, a small town on the outskirts of Moscow.
Reuters could not determine whether any data was taken during the intrusion or what information may have been viewed. In the months following the digital break-in Pyongyang announced several developments in its banned ballistic missile programme but it is not clear if this was related to the breach.
Experts say the incident shows how the isolated country will even target its allies, such as Russia, in a bid to acquire critical technologies.
NPO Mashinostroyeniya did not respond to requests from Reuters for comment. Russia’s embassy in Washington did not respond to an emailed request for comment. North Korea’s mission to the United Nations in New York did not respond to a request for comment.
News of the hack comes soon after a trip to Pyongyang last month by Russian defence minister Sergei Shoigu for the 70th anniversary of the Korean war, the first visit by a Russian defence minister to North Korea since the 1991 break-up of the Soviet Union.
02:04
North Korea confirms detention of US soldier who bolted across border from South Korea
The targeted company – commonly known as NPO Mash – has acted as a pioneer developer of hypersonic missiles, satellite technologies and newer generation ballistic armaments, according to missile experts – three areas of keen interest to North Korea since it embarked on its mission to create an Intercontinental Ballistic Missile (ICBM) capable of striking the mainland United States.
According to technical data, the intrusion roughly began in late 2021 and continued until May 2022 when, according to internal communications at the company reviewed by Reuters, IT engineers detected the hackers’ activity.
NPO Mash grew to prominence during the Cold War as a premier satellite maker for Russia’s space programme and as a provider of cruise missiles.
Email hack
The hackers dug into the company’s IT environment, giving them the ability to read email traffic, jump between networks, and extract data, according to Tom Hegel, a security researcher with US cybersecurity firm SentinelOne, who initially discovered the compromise.
“These findings provide rare insight into the clandestine cyber operations that traditionally remain concealed from public scrutiny or are simply never caught by such victims,” Hegel said.
Hegel’s team of security analysts at SentinelOne learned of the hack after discovering that an NPO Mash IT staffer accidentally leaked his company’s internal communications while attempting to investigate the North Korean attack by uploading evidence to a private portal used by cybersecurity researchers worldwide.
When contacted by Reuters, that IT staffer declined to comment.
The lapse provided Reuters and SentinelOne with a unique snapshot into a company of critical importance to the Russian state which was sanctioned by the Obama administration following the invasion of Crimea.
“I’m highly confident the data’s authentic … how the information was exposed was an absolutely hilarious screw-up”
Two independent computer security experts, Nicholas Weaver and Matt Tait, reviewed the exposed email content and confirmed its authenticity. The analysts verified the connection by checking the email’s cryptographic signatures against a set of keys controlled by NPO Mash.
“I’m highly confident the data’s authentic,” Weaver told Reuters. “How the information was exposed was an absolutely hilarious screw-up”.
SentinelOne said they were confident North Korea was behind the hack because the cyber spies reused previously known malware and malicious infrastructure set up to carry out other intrusions.
Asia has 5 of the world’s top 7 most powerful navies. Singapore ranks No 24
In 2019, Russian President Vladimir Putin touted NPO Mash’s “Zircon” hypersonic missile as a “promising new product”, capable of travelling at around nine times the speed of sound.
The fact North Korean hackers may have obtained information about the Zircon does not mean they would immediately have that same capability, said Markus Schiller, a Europe-based missile expert who has researched foreign aid to North Korea’s missile programme.
“That’s movie stuff,” he said. “Getting plans won’t help you much in building these things, there is a lot more to it than some drawings”.
However, given NPO Mash’s position as a top Russian missile designer and producer, the company would be a valuable target, Schiller added.
“There is much to learn from them,” he said.
Another area of interest could be in the manufacturing process used by NPO Mash surrounding fuel, experts said. Last month, North Korea test-launched the Hwasong-18, the first of its ICBMs to use solid propellants.
That fuelling method can allow for faster deployment of missiles during war, because it does not require fuelling on a launch pad, making the missiles harder to track and destroy before blast-off.
NPO Mash produces an ICBM dubbed the SS-19 which is fuelled in the factory and sealed shut, a process known as “ampulisation” that yields a similar strategic result.
“It’s hard to do because rocket propellant, especially the oxidiser, is very corrosive,” said Jeffrey Lewis, a missile researcher at the James Martin Centre for Nonproliferation Studies.
“North Korea announced that it was doing the same thing in late 2021. If NPO Mash had one useful thing for them, that would be top of my list,” he added.
North Korea says US’ Taiwan arms aid pushing region to ‘ignition point of war’
Meanwhile, an unusual sighting of a Russian military jet in North Korea is stoking concern that Kim Jong-un is selling Vladimir Putin weapons as ties strengthen between the sanctioned states.
Tracking data from FlightRadar24 shows the Russian Air Force Ilyushin IL-62M flying from Moscow to Pyongyang on July 31 and returning on August 2.
Satellite imagery showed the aircraft at Pyongyang’s international airport for about 36 hours, according to NK News, a Seoul-based provider of news on North Korea that also tracks flight activity in the isolated country.
The flight was the first by this type of Russian military VIP plane to North Korea since mid-2019, when Russian Deputy Defence Minister Alexander Fomin travelled to Pyongyang, NK News said.
Pyongyang closed its borders in early 2020 due to the pandemic, choking its economy.
Neither Russia nor North Korea have reported on the plane, and it is unclear who was aboard. Russia’s Defence Ministry did not respond to a request for comment.
Additional reporting by Bloomberg
