Type to search

North Korea Hackers Breached Russian Missile Maker’s Systems

The cyber attack revelation comes just weeks after a trip to Pyongyang by Russian defence minister Sergei Shoigu

North Korean leader Kim Jong Un and Russia's Defense Minister Sergei Shoigu visit an exhibition of armed equipment on the occasion of the 70th anniversary of the Korean War armistice in this image released by North Korea's Korean Central News Agency on July 27, 2023. KCNA via REUTERS/File Photo
North Korean leader Kim Jong Un and Russia's Defence Minister Sergei Shoigu visit an exhibition of armed equipment on the occasion of the 70th anniversary of the Korean War armistice in this image released by North Korea's Korean Central News Agency on July 27, 2023. Photo: Reuters


A specialist group of North Korean hackers was able to access the computer networks of a major Russian missile developer for at least five months, revealing how Pyongyang is prepared to target one of its few allies to acquire  critical technologies. 

According to technical evidence reviewed by Reuters and analysis by security researchers, cyber-espionage teams linked to the North Korean government, which security researchers call ScarCruft and Lazarus, secretly installed stealthy digital backdoors into systems at NPO Mashinostroyeniya, a rocket design bureau based in Reutov, a small town on the outskirts of Moscow.

Researchers could not determine whether any data was taken during the intrusion or what information may have been viewed. But in the months following the digital break-in Pyongyang announced several developments in its banned ballistic missile programme.


Also on AF: China, US, India Face Climate Change Debt-Cost Time Bomb


News of the hack comes shortly after a trip to Pyongyang last month by Russian defence minister Sergei Shoigu for the 70th anniversary of the Korean War – the first visit by a Russian defence minister to North Korea since the 1991 breakup of the Soviet Union.

The targeted company, commonly known as NPO Mash, has acted as a pioneer developer of hypersonic missiles, satellite technologies and newer generation ballistic armaments, according to missile experts – three areas of keen interest to North Korea since it embarked on its mission to create an Intercontinental Ballistic Missile (ICBM) capable of striking the mainland United States.

According to technical data, the intrusion roughly began in late 2021 and continued until May 2022 when, according to internal communications at the company reviewed by Reuters, IT engineers detected the hackers’ activity.

NPO Mash grew to prominence during the Cold War as a premier satellite maker for Russia’s space programme and as a provider of cruise missiles.

The hackers dug into the company’s IT environment, giving them the ability to read email traffic, jump between networks, and extract data, according to Tom Hegel, a security researcher with US cybersecurity firm SentinelOne, who initially discovered the compromise.

“These findings provide rare insight into the clandestine cyber operations that traditionally remain concealed from public scrutiny or are simply never caught by such victims,” Hegel said.


Cyber Clues Link to North Korea

Hegel’s team of security analysts at SentinelOne learned of the hack after discovering that an NPO Mash IT staffer accidentally leaked his company’s internal communications while attempting to investigate the North Korean attack by uploading evidence to a private portal used by cybersecurity researchers worldwide.

SentinelOne said they were confident North Korea was behind the hack because the cyber spies re-used previously known malware and malicious infrastructure set up to carry out other intrusions.

In 2019, Russian President Vladimir Putin touted NPO Mash’s “Zircon” hypersonic missile as a “promising new product”, capable of travelling at around nine times the speed of sound.

The fact North Korean hackers may have obtained information about the Zircon does not mean they would immediately have that same capability, said Markus Schiller, a Europe-based missile expert who has researched foreign aid to North Korea’s missile programme.

“That’s movie stuff,” he said. “Getting plans won’t help you much in building these things, there is a lot more to it than some drawings”.


Rocket Fuel Manufacturing Suspicions

Another area of interest could be in the manufacturing process used by NPO Mash surrounding fuel, experts said. Last month, North Korea test-launched the Hwasong-18, the first of its ICBMs to use solid propellants.

That fuelling method can allow for faster deployment of missiles during war, because it does not require fuelling on a launchpad, making the missiles harder to track and destroy before blast-off.

NPO Mash produces an ICBM dubbed the SS-19 which is fuelled in the factory and sealed shut, a process known as “ampulisation” that yields a similar strategic result.

“It’s hard to do because rocket propellant, especially the oxidiser, is very corrosive,” said Jeffrey Lewis, a missile researcher at the James Martin Center for Nonproliferation Studies.

“North Korea announced that it was doing the same thing in late 2021. If NPO Mash had one useful thing for them, that would be top of my list,” he added.


  • Reuters with additional editing by Sean O’Meara


Read more:

North Korea Hackers Targeted Crypto in US Tech Firm Attack

US Says China’s State Hackers Breached Government Emails

China’s New Anti-Espionage Law Puts Firms at Risk, US Warns

China Has Been Spying From Cuba For Years, US Says



Sean O'Meara

Sean O'Meara is an Editor at Asia Financial. He has been a newspaper man for more than 30 years, working at local, regional and national titles in the UK as a writer, sub-editor, page designer and print editor. A football, cricket and rugby fan, he has a particular interest in sports finance.


AF China Bond