Russia and North Korea may reprotedly be allies on paper, but in the real world, this may not be as concrete, as two North Korean state-sponsored threat actors have been found targeting an important Russian missile engineering company.
Cybersecurity researchers from SentinelOne discovered two groups – StarCruft and Lazarus Group, targeting NPO Mashinostroyenia. StarCruft managed to compromised “sensitive internal IT infrastructure”, including an email server.
Lazarus, on the other hand, used a Windows backdoor known as OpenCarrot. The former is under the direct command of the Ministry of State Security, while the latter answers to the Reconnaissance General Bureau (RGB), the country’s main foreign intelligence service.
OpenCarrot
OpenCarrot is a versatile piece of malware, the researchers further explained, capable of “full compromise”. It sports 25 different commands, allowing the threat actors to spy on its victims, edit file systems, and operate multiple mechanisms of communication.
“With a wide range of supported functionality, OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network,” said security researchers Tom Hegel and Aleksandar Milenkoski.
In hindsight, the choice of target isn’t that surprising, knowing that North Korea is investing heavy resources into developing its highly controversial missile program which, among other things, resulted in countless international sanctions. NPO Mashinostroyeniya, on the other hand, is a rocket design bureau based in Reutov, the media say. It was blacklisted by the U.S. Department of Treasury back in 2014, due to “Russia’s continued attempts to destabilize eastern Ukraine and its ongoing occupation of Crimea.”
This is one of the rare recorded examples of allies targeting allies through cyber-warfare, in order to advance their strategic goals. Time describes the North Korean government as being “hell-bent” on developing its nuclear program and missile capabilities for over 60 years now.
Via: The Hacker News
Source link
