North Korean hackers infiltrate Russian missile developer.

An ‍Elite⁤ Group of North Korean Hackers Breached Russian ⁤Missile Developer

An elite group ​of‍ North Korean hackers secretly breached computer ‍networks ⁤at a ⁢major Russian missile developer‍ for at least ⁤five months last ⁣year, according to technical evidence reviewed by Reuters ​and analysis by security researchers.

Reuters found‌ cyber-espionage teams linked to ⁢the ⁤ North Korean government, which security researchers call ScarCruft and Lazarus, secretly installed stealthy digital‍ backdoors into systems at ‌NPO Mashinostroyeniya, a rocket design bureau based in Reutov, a small town on ⁣the outskirts ⁤of ​Moscow.

Reuters could not determine whether any data was taken during⁣ the intrusion or⁤ what information may have⁣ been viewed. In the months following the digital break-in Pyongyang announced several developments in its banned ballistic missile program but it is not clear if this was related to the breach.

Experts say the incident⁤ shows how the isolated⁣ country will even ‌target its ⁣allies, ‍such as Russia, in a bid​ to acquire critical ⁣technologies.

NPO Mashinostroyeniya did not⁣ respond ‍to requests from Reuters for comment. ‌Russia’s embassy in⁤ Washington did not respond to ⁣an emailed request for⁢ comment. North Korea‘s ‍mission to the United Nations in ⁣New York did not respond to a request for comment.

News of ‍the hack comes shortly after a trip to‌ Pyongyang last month by Russian defense⁤ minister Sergei Shoigu ⁢for the 70th anniversary​ of the Korean War; the first visit by a‍ Russian defense minister⁣ to North Korea since the 1991 breakup of the Soviet Union.

The targeted company, commonly known as NPO ‌Mash, has acted as ‍a pioneer developer of hypersonic missiles, satellite technologies, and ⁣newer generation‍ ballistic armaments, according⁤ to missile experts—three ‍areas‍ of ​keen‌ interest to ⁤ North Korea since ⁢it embarked on its mission⁤ to create an Intercontinental Ballistic‍ Missile (ICBM) capable​ of ⁤striking the mainland United States.

According to technical data, the intrusion⁢ roughly began in ⁤late 2021⁣ and⁢ continued until May 2022 when, according to internal communications ⁤at the company reviewed by Reuters, IT engineers detected ⁢the hackers’ activity.

NPO‌ Mash ‌grew‌ to prominence during the Cold War as a premier satellite maker‌ for Russia’s space program and as a provider of cruise missiles.

Email Hack

The hackers dug into the company’s IT environment, giving them⁣ the ability to read email ⁤traffic, ⁢jump between networks, and extract data, ⁤according to Tom Hegel, a security researcher with U.S.⁣ cybersecurity firm SentinelOne, ⁣who initially discovered the ⁣compromise.

“These findings⁤ provide ​rare ‌insight into ⁢the clandestine cyber ⁣operations that traditionally⁢ remain concealed from public ⁣scrutiny ‌or ⁢are simply never caught ‌by such victims,” Hegel said.

Hegel’s team of security analysts at SentinelOne learned of the ⁣hack after discovering⁣ that an NPO Mash IT‍ staffer accidentally ⁤leaked his ‍company’s internal communications while ​attempting to investigate the North Korean attack by uploading evidence to a private portal used by cybersecurity researchers worldwide.

When contacted by​ Reuters, that IT staffer declined ‌to comment.

The lapse provided Reuters and SentinelOne with a unique snapshot into a company⁢ of ‍critical importance ⁣to⁤ the Russian state‍ which was sanctioned ⁤by the Obama administration following‌ the ⁢invasion of Crimea.

Two independent computer‍ security experts, Nicholas Weaver and Matt Tait, reviewed the exposed⁤ email⁤ content and ⁣confirmed its authenticity. The analysts verified ⁤the‌ connection by checking⁢ the email’s cryptographic signatures against ‌a set of keys controlled by⁢ NPO Mash.

“I’m ‌highly confident⁢ the‍ data’s authentic,” Weaver told Reuters. “How the information ⁤was exposed was an absolutely⁤ hilarious screwup”.

SentinelOne ⁢said they were confident North Korea ​was behind the hack because the cyber spies re-used previously known malware and malicious⁢ infrastructure‍ set up​ to carry out other intrusions.

‘Movie Stuff’

In 2019, ⁤Russian President Vladimir Putin touted NPO⁤ Mash’s “Zircon” ‌hypersonic missile as​ a “promising new product”, capable of traveling⁢ at around ⁤nine times the speed of sound.

The ⁣fact North ‍Korean hackers may have ‍obtained​ information about the Zircon ​does not mean they would immediately‍ have that same capability, said Markus ‍Schiller, a‍ Europe-based missile ‍expert‍ who has researched foreign aid to North Korea‘s missile program.

“That’s movie⁣ stuff,” he said. “Getting ⁣plans won’t help‍ you⁢ much‍ in‌ building these ⁣things, there is a lot ‍more to it than ⁢some drawings”.

However, given NPO Mash’s position as a top ‍Russian ​missile designer and producer, the company ⁤would be a valuable target, Schiller added.

“There ⁢is⁢ much to learn from ‌them,” he ‍said.

Another area of interest could be in ​the‍ manufacturing process used by NPO Mash surrounding⁢ fuel, experts said. Last ⁢month, ‌ North⁣ Korea ⁢test-launched the Hwasong-18, the first of its ⁤ICBMs to use solid propellants.

That fueling method ⁢can allow for faster deployment of missiles during‍ war because it does not require fueling on a launchpad, making the missiles harder to track ⁢and destroy before​ blast-off.

NPO Mash‌ produces an ICBM ⁤dubbed the SS-19 which⁢ is fueled in ​the factory and sealed shut, a process known as “ampulisation” that yields a similar strategic ⁣result.

“It’s hard to do because rocket propellant, especially the oxidizer, ‍is very corrosive,” ​said Jeffrey ⁣Lewis, a missile researcher⁤ at the ‌James Martin Center for Nonproliferation Studies.

“North‌ Korea announced that‍ it was doing the same⁢ thing in ⁤late 2021. If NPO Mash had one⁣ useful‌ thing for them, that⁣ would⁤ be top of my list,” he added.

(Reporting by James Pearson ‍in London and Christopher Bing​ in Washington; editing ‌by Chris Sanders and Alistair Bell)