Exclusive: North Korean hackers breached top Russian missile maker

North Korean leader Kim Jong Un and Russia’s Defense Minister Sergei Shoigu visit an exhibition of armed equipment on the occasion of the 70th anniversary of the Korean War armistice in this image released by North Korea’s Korean Central News Agency on July 27, 2023. KCNA via REUTERS/File Photo

LONDON/WASHINGTON, Aug 7 (Reuters) – An elite group of North Korean hackers secretly breached computer networks at a major Russian missile developer for at least five months last year, according to technical evidence reviewed by Reuters and analysis by security researchers.

Reuters found cyber-espionage teams linked to the North Korean government, which security researchers call ScarCruft and Lazarus, secretly installed stealthy digital backdoor into systems at NPO Mashinostroyeniya, a rocket design bureau based in Reutov, a small town on the outskirts of Moscow.

Reuters could not determine whether any data was taken during the intrusion or what information may have been viewed. In the months following the digital break-in Pyongyang announced several developments in its banned ballistic missile program me but it is not clear if this was related to the breach.

Experts say the incident shows how the isolated country will even target its allies, such as Russia, in a bid to acquire critical technologies.

NPO Mashinostroyeniya did not respond to requests from Reuters for comment. Russia’s embassy in Washington did not respond to an emailed request for comment. North Korea’s mission to the United Nations in New York did not respond to a request for comment.

News of the hack comes shortly after a trip to Pyongyang last month by Russian defence minister Sergei Shoigu for the 70th anniversary of the Korean War; the first visit by a Russian defence minister to North Korea since the 1991 breakup of the Soviet Union.

The targeted company, commonly known as NPO Mash, has acted as a pioneer developer of hypersonic missiles, satellite technologies and newer generation ballistic armaments, according to missile experts – three areas of keen interest to North Korea since it embarked on its mission to create an Intercontinental Ballistic Missile (ICBM) capable of striking the mainland United States.

According to technical data, the intrusion roughly began in late 2021 and continued until May 2022 when, according to internal communications at the company reviewed by Reuters, IT engineers detected the hackers’ activity.

NPO Mash grew to prominence during the Cold War as a premier satellite maker for Russia’s space programme and as a provider of cruise missiles.


The hackers dug into the company’s IT environment, giving them the ability to read email traffic, jump between networks, and extract data, according to Tom Hegel, a security researcher with U.S. cybersecurity firm Sentinel One, who initially discovered the compromise.

“These findings provide rare insight into the clandestine cyber operations that traditionally remain concealed from public scrutiny or are simply never caught by such victims,” Hegel said.

Hegel’s team of security analysts at Sentinel One learned of the hack after discovering that an NPO Mash IT staffer accidentally leaked his company’s internal communications while attempting to investigate the North Korean attack by uploading evidence to a private portal used by cybersecurity researchers worldwide.

When contacted by Reuters, that IT staffer declined to comment.

The lapse provided Reuters and Sentinel One with a unique snapshot into a company of critical importance to the Russian state which was sanctioned by the Obama administration following the invasion of Crimea.

Two independent computer security experts, Nicholas Weaver and Matt Tait, reviewed the exposed email content and confirmed its authenticity. The analysts verified the connection by checking the email’s cryptographic signatures against a set of keys controlled by NPO Mash.

By Reuters

Related Articles

Back to top button