An elite group of North Korean hackers secretly breached computer networks at a significant Russian missile developer for at least five months last year, according to technical evidence reviewed by Reuters and analysis by security researchers. The hacks, if confirmed, suggest the elite spies have a high-level escalation in their ability to steal secrets from targets. They have already been responsible for a massive cyberattack on a South Korean television network and the cyber intrusion of 3CX, a software firm used by hundreds of multinational firms ranging from hotel chains to health care providers that lets them make voice and video calls over the Internet.
Reuters found that cyber-espionage teams linked to the North Korean government, which security researchers call ScarCruft and Lazarus, secretly installed stealthy digital backdoors into systems at NPO Mashinostroyeniya, a rocket design bureau based in the Russian city of Samara. The backdoors allowed the spies to watch email traffic, move between networks and extract data from servers. The amount of information stolen needed to be clarified. It is also unclear whether the hackers were interested in NPO Mashinostroyeniya’s work on the Zircon hypersonic missile, which can travel at about nine times the speed of sound and is of keen interest to Pyongyang as it works toward developing an Intercontinental Ballistic Missile capable of striking the landmass of the United States.
NPO Mashinostroyeniya did not reply to requests for comment. The Russian Embassy in Washington and the North Korean Mission to the United Nations in New York did not respond to a request for comment either. The incident underscores the threat of cyber espionage and shows that the isolated nation will even target its allies to acquire critical technologies, experts say.
The hacks were revealed in a federal indictment filed on Dec. 8, 2020, in the US District Court for the Southern District of California and unsealed on Thursday. It accused three defendants of being members of units of the RGB, or Reconnaissance General Bureau, the primary entity in the DPRK that is responsible for hostile cyber activity. The indictment also alleged that the defendants were part of a conspiracy to damage, steal, and otherwise further the strategic and financial interests of the DPRK government and leader, Kim Jong Un.
The prosecutors said that the defendants worked on behalf of the RGB and were members of units called APT38 and Lazarus, both of which are associated with the RGB. They also allegedly worked for the Pyongyang University of Automation, one of the DPRK’s premier cyber instruction institutions. The university trains malicious cyber actors, many of whom go on to work in cybersecurity units under the control of the RGB.
The US Department of Justice has been stepping up its prosecutions of North Korea’s state-sponsored hackers. In December, the department unsealed an indictment against three of them for stealing $1.3 billion in cash and cryptocurrency. The hackers have been charged with cyber espionage, money laundering, and other charges. The defendants face up to 30 years in prison if convicted.