HOW THE RUSSIA-NORTH KOREA FRIENDSHIP WENT BALLISTIC
August 10, 2023 -Durt Fibo
On July 25, Russian Defense Minister Sergei Shoigu made the first official visit of that calibre to North Korea since the demise of the USSR. The purported reason was to bring brotherly salutations to the country on the 70th anniversary of the Korean War armistice, which North Korea calls “Victory Day. The United States Secretary of State Antony Blinken asserted that the trip was for purchasing desperately needed weapons. Shoigu arrived just one day after North Korea had fired two ballistic missiles off its east coast in response to a US nuclear-powered submarine appearing at a South Korean base. That was the third such North Korean missile launch of the week, out of roughly 100 since the year began.
Shoigu’s team was joined by a Chinese Communist Party delegation headed by Politburo member Li Hongzhong, which was inevitable as the Kim dynasty only exists so long as it is useful to, or tolerated by, China. On this occasion the three national players toured munitions facilities, which Kim Jong Un gleefully showed off as living death monuments of his accelerating nuclear and ballistic missiles program.
Bearing offers of food for Korea, Shoigu might not have been fully cognizant of the mockery he was being feted with, for it turns out much of Kim’s military success came from stolen Russian production secrets. In 2019, Russian President Vladimir Putin proclaimed that his development of the “Zircon” hypersonic missile was, understatedly, a promising new product.” By late 2021 North Korea had hacked into the Russian program, and in the months following the digital break-in Pyongyang announced several developments in its own banned ballistic missile program. Last month it had test fired a solid propellant ICBM missile -the Hwasong-18 – which utilized the same secret method Russia had been working on, leading to its SS-19 ICBM. This method accelerates the use of missiles because it does not require fueling on a launchpad, making the missiles harder to track and destroy before blast-off, instead using ampulisation, a process wherein missiles are fueled in the factory and sealed shut. The new process is significant because “rocket propellant, especially the oxidizer, is very corrosive,” according to Jeffrey Lewis, a missile researcher at the James Martin Center for Nonproliferation Studies.
In Reutov, outside of Moscow, sits the hacked missile developer НПО Машиностроения [NPO Mashinostroyeniya], a subsidiary of АО Корпорация Тактическое Ракетное Вооружение, КТРВ [JSC Tactical Missiles Corporation KTRV], perhaps the leading state-owned industrial conglomerate responsible for engineering and producing most of Russia’s high-end military technology -especially missiles. It wasn’t until August 7, 2023 that western cybersecurity agencies comprehended what had transpired. Russian media, naturally, has been reticent about the discovery.
In the simplest terms, what North Korea did was to breach computer networks at NPO Mashinostroyeniya via a backdoor to and gaining free range throughout the company’s IT environment, giving North Korea access to email traffic, the ability to jump between networks, and extract data, Although in May of last year, some workers at NPO Mashinostroyeniya “flagged” a possible system intrusion and found a suspicious DLL file present throughout different internal systems, it appears that it was western security and monitoring groups who pinpointed the unwanted activity. Much of the information was collected and analyzed by the SentinelLabs/SentinelOne, who summarized the hack as follows:
“During our investigation, we identified the suspicious file in question to be a version of the OpenCarrot Windows OS backdoor, previously identified by IBM XForce as part of Lazarus group activities. As a feature-rich, configurable, and versatile backdoor, the malware is a strong enabler of the group’s operations. With a wide range of supported functionality, OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network. The OpenCarrot variant we analyzed supports proxying C2 communication through the internal network hosts and directly to the external server, which supports the strong possibility of a network-wide compromise. Additionally, we discovered the suspicious network traffic discussed in emails is the compromise of the business’ Linux email server, hosted publicly at vpk.npomash[.]ru
(185.24.244[.]11
). At time of discovery, the email server was beaconing outbound to infrastructure we now attribute to the ScarCruft threat actor. ScarCruft is commonly attributed to North Korea’s state-sponsored activity, targeting high value individuals and organizations near-globally. The group is also referred to as Inky Squid, APT37, or Group123, and often showcases a variety of technical capabilities for their intrusions. While we are unable to confirm the initial access method and implant running on the email server at time of discovery, we link malware loading tools and techniques involving this set of infrastructure to those seen in previously reported ScarCruft activity using the RokRAT backdoor.” Their purely technical mapping of the raid can be found here: https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/
Word of the hack spread after an NPO Mashinostroyeniya IT staffer clumsily published the company’s internal communications while attempting to investigate the North Korean attack by uploading evidence to a private portal used by cybersecurity researchers worldwide. SentinelOne said they were positive North Korea sponsored the hack because the invasion used previously known Korean malware and malicious infrastructure. Two independent computer security experts, Nicholas Weaver and Matt Tait, reviewed the exposed email content and pronounced it as genuine. The analysts verified the connection by checking the email’s cryptographic signatures against a set of keys controlled by NPO Mashinostroyeniya. Weaver said that he is “highly confident the data’s authentic. How the information was exposed was an absolutely hilarious screwup.”
On 24 March 2022, the United States Office of Foreign Assets Control (OFAC) imposed sanctions on Russian firms including JSC Tactical Missiles Corporation KTRV, JSC NPO High Precision Systems (High Precision Systems), NPK Tekhmash OAO [Tekhmas]), Joint Stock Company Russian Helicopters (Russian Helicopters), and Joint Stock Company Kronshtadt [Kronshtad].