Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company
Contents
By Tom Hegel and Aleksandar Milenkoski
Executive Summary
- SentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya.
- Our findings identify two instances of North Korea related compromise of sensitive internal IT infrastructure within this same Russian DIB organization, including a specific email server, alongside use of a Windows backdoor dubbed OpenCarrot.
- Our analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the separate use of a Lazarus Group backdoor for compromise of their internal network.
- At this time, we cannot determine the potential nature of the relationship between the two threat actors. We acknowledge a potential sharing relationship between the two DPRK-affiliated threat actors as well as the possibility that tasking deemed this target important enough to assign to multiple independent threat actors.
Background
North Korean threat actors have caught our attention over the past year, providing us with fruitful …
Executive Summary
- SentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya.
- Our findings identify two instances of North Korea related compromise of sensitive internal IT infrastructure within this same Russian DIB organization, including a specific email server, alongside use of a Windows backdoor dubbed OpenCarrot.
- Our analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the separate use of a Lazarus Group backdoor for compromise of their internal network.
- At this time, we cannot determine the potential nature of the relationship between the two threat actors. We acknowledge a potential sharing relationship between the two DPRK-affiliated threat actors as well as the possibility that tasking deemed this target important enough to assign to multiple independent threat actors.
Background
North Korean threat actors have caught our attention over the past year, providing us with fruitful …
IoC
07b494575d548a83f0812ceba6b8d567c7ec86ed
0b7dad90ecc731523e2eb7d682063a49
160.202.79.226
185.24.244.11
192.169.7.197
2217c29e5d5ccfcf58d2b6d9f5e250b687948440
246018220a4f4f3d20262b7333caf323e1c77d2e
5.134.119.142
516beb7da7f2a8b85cb170570545da4b
6ad6232bcf4cef9bf40cbcae8ed2f985
8b6ffa56ca5bea5b406d6d8d6ef532b4d36d090f
90f52b6d077d508a23214047e680dded320ccf4e
9216198a2ebc14dd68386738c1c59792
921aa3783644750890b9d30843253ec6
96.9.255.150
99fd2e013b3fba1d03a574a24a735a82
d0f6cf0d54cf77e957bce6dfbbd34d8e
f483c33acf0f2957da14ed422377387d6cb93c4d
f974d22f74b0a105668c72dc100d1d9fcc8c72de
[email protected]
http://160.202.79.226
http://185.24.244.11
http://192.169.7.197
http://5.134.119.142
http://606qipai.com
http://96.9.255.150
http://asplinc.com
http://bsef.or.kr
http://centos-packages.com
http://centos-pkg.org
http://centos-repos.org
http://dallynk.com
http://redhat-packages.com
http://vpk.npomash.ru
http://yolenny.com
0b7dad90ecc731523e2eb7d682063a49
160.202.79.226
185.24.244.11
192.169.7.197
2217c29e5d5ccfcf58d2b6d9f5e250b687948440
246018220a4f4f3d20262b7333caf323e1c77d2e
5.134.119.142
516beb7da7f2a8b85cb170570545da4b
6ad6232bcf4cef9bf40cbcae8ed2f985
8b6ffa56ca5bea5b406d6d8d6ef532b4d36d090f
90f52b6d077d508a23214047e680dded320ccf4e
9216198a2ebc14dd68386738c1c59792
921aa3783644750890b9d30843253ec6
96.9.255.150
99fd2e013b3fba1d03a574a24a735a82
d0f6cf0d54cf77e957bce6dfbbd34d8e
f483c33acf0f2957da14ed422377387d6cb93c4d
f974d22f74b0a105668c72dc100d1d9fcc8c72de
[email protected]
http://160.202.79.226
http://185.24.244.11
http://192.169.7.197
http://5.134.119.142
http://606qipai.com
http://96.9.255.150
http://asplinc.com
http://bsef.or.kr
http://centos-packages.com
http://centos-pkg.org
http://centos-repos.org
http://dallynk.com
http://redhat-packages.com
http://vpk.npomash.ru
http://yolenny.com