An elite group of North Korean hackers secretly breached computer networks at a major Russian missile developer for at least five months last year, according to technical evidence reviewed by Reuters and analysis by security researchers.
Reuters found cyber-espionage teams linked to the North Korean government, which security researchers call ScarCruft and Lazarus, secretly installed stealthy digital backdoors into systems at NPO Mashinostroyeniya, a rocket design bureau based in Reutov, a small town on the outskirts of Moscow.
Reuters found cyber-espionage teams linked to the North Korean government, which security researchers call ScarCruft and Lazarus, secretly installed stealthy digital backdoors into systems at NPO Mashinostroyeniya, a rocket design bureau based in Reutov, a small town on the outskirts of Moscow.
According to technical data, the intrusion roughly began in late 2021 and continued until May 2022 when, according to internal communications at the company reviewed by Reuters, IT engineers detected the hackers' activity.
The hackers dug into the company's IT environment, giving them the ability to read email traffic, jump between networks, and extract data, according to Tom Hegel, a security researcher with U.S. cybersecurity firm SentinelOne, who initially discovered the compromise.
Hegel's team of security analysts at SentinelOne learned of the hack after discovering that an NPO Mash IT staffer accidentally leaked his company's internal communications while attempting to investigate the North Korean attack by uploading evidence to a private portal used by cybersecurity researchers worldwide.
The lapse provided Reuters and SentinelOne with a unique snapshot into a company of critical importance to the Russian state which was sanctioned by the Obama administration following the invasion of Crimea.
In 2019, Russian President Vladimir Putin touted NPO Mash's "Zircon" hypersonic missile as a "promising new product", capable of travelling at around nine times the speed of sound.