Disclosure of the cyber attack

In recent days, it has become known that the IT systems of a major Russian missile manufacturer, NPO Maschinostrojenija, have been infiltrated by a hacker group. According to reports, the attackers are the North Korean group called Scarcruft, also known as APT37.

Intrusion through data leak

The cyberattack was uncovered by security analysts from Sentinellabs, who gained access to confidential internal emails from the missile manufacturer after they surfaced due to a data leak. The analysts came across evidence that NPO Mashinostrojenija's IT staff had previously noticed suspicious activity on the company's network.

Malicious DLL file discovered

After further investigation, the missile manufacturer's administrators discovered a malicious DLL file on the infiltrated servers. As a result, external security experts were brought in to investigate the incident further. The report by Sentinellabs suggests that the hackers had infiltrated Opencarrot, a Windows backdoor, into the Russian company. Opencarrot has previously been linked to the North Korean hacker group Lazarus.

Extensive access rights through Opencarrot

The Opencarrot backdoor gave the attackers far-reaching access rights to the infected systems. This allowed them to manipulate files and processes and communicate via an external server. They also used the backdoor to infect other systems via newly connected USB data carriers.

Cause of the attack unclear

It has not yet been conclusively clarified how exactly the Scarcruft hackers were able to gain access to the IT systems of NPO Maschinostrojenija. However, the analysts at Sentinellabs found evidence of the use of tools and techniques that have already been attributed to the hacker group in the past, particularly in connection with the characteristic Rokrat backdoor.

NPO Maschinostrojenija as a rocket manufacturer

The missile manufacturer NPO Maschinostrojenija supplies the Russian and Indian armies, among others, with defense and attack missiles. In 2014, the US government imposed sanctions against the company.

Conclusion: vigilance in the networked world

This incident once again highlights the importance of cyber security and the protection of sensitive data in today's connected world. Companies and organizations must remain vigilant and proactively protect themselves against potential cyberattacks to protect themselves and their customers from serious consequences.