North Korean Cyber Team ‘ScarCruft’

The North Korean hacking organization known as ScarCruft has reportedly attacked Russian space and missile engineering company NPO Mashinostroyeniya. The cyber assault targeted both the email server and IT infrastructure.

The Target – NPO Mashinostroyeniya

NPO Mashinostroyeniya, responsible for creating spacecraft and defense missiles for Russia and India, has been sanctioned by the U.S. Department of Treasury (OFAC) since 2014. Their involvement in the Russo-Ukrainian conflict led to these sanctions.

Uncovering the ScarCruft Cyber Invasion

Today’s revelations by SentinelLabs highlight ScarCruft’s role in the hacking of NPO Mashinostroyeniya. The cybercriminals inserted a backdoor into the network known as ‘OpenCarrot.’

The core objective of this intrusion remains uncertain. ScarCruft (APT37) is, however, famous for cyber espionage campaigns.

Discovering the ScarCruft’s led Breach – A Deeper Look

Security Analysis

Security experts at SentinelLabs came across this breach while examining leaked emails from NPO Mashinostroyeniya. These emails contained confidential data and IT staff alerts about a probable cybersecurity incident in May 2022.

SentinelLabs’ subsequent investigation unveiled a more severe intrusion than what the missile manufacturer had initially perceived.

Suspicious Activities of ScarCruft and Malware Discovery

The leaked emails revealed discussions within NPO Mashinostroyeniya about odd network interactions between internal devices and external servers. This prompted an inquiry that led to the detection of malicious software installed internally. The antivirus firm was then engaged to diagnose the infection.

SentinelLabs identified the ‘OpenCarrot’ Windows backdoor in the infected Russian entity by studying IP addresses and other clues.

OpenCarrot and Its Connections

OpenCarrot, a multifaceted backdoor malware, was previously linked to Lazarus Group, another North Korean hacker team. Although the association between ScarCruft and Lazarus in this operation is unclear, North Korean hackers often share tools and strategies.

OpenCarrot’s Functions

The OpenCarrot variant in this attack, built as a DLL file, supports 25 commands, covering:

  • Reconnaissance: Attributes for file and process enumeration, scanning, and IP range pinging.
  • File and Process Manipulation: Termination, injection, deletion, and renaming.
  • Reconfiguration and Connectivity: C2 communication management, malware data alteration, and network connections proxying.

OpenCarrot becomes inactive when legitimate users are present on the affected devices. It also scans for new USB drives every 15 seconds for possible contamination.

ScarCruft Intrusion Traces and Strategy Indicators

SentinelLabs also spotted suspicious traffic from the victim’s Linux email server leading to ScarCruft’s facilities. While the intrusion method is still under analysis, the RokRAT backdoor’s use has been suggested.

The involvement of two state-backed hacking groups may signify North Korea’s deliberate strategy. Targeting NPO Mashinostroyeniya, likely seen as a significant espionage mark, the state might have intended to enhance the chances of a successful breach.


The ScarCruft-led breach into NPO Mashinostroyeniya’s systems is another stark reminder of the complexity and sophistication of cyber warfare in modern times. The multifaceted attack demonstrates not only the advanced tactics used by state-backed hackers but also the ongoing vulnerability of critical infrastructure and information. The global community must remain vigilant and proactive in the face of such threats, which continue to evolve and proliferate.