At a glance.
- North Korean cyberespionage against a Russian aerospace firm.
- Reptile rootkit used against South Korean systems.
- An update on Cloudzy.
- Cl0p using torrents to move data stolen in MOVEit exploitation.
- STRRAT malware delivered by pdf.
- The cyber phase of Russia's hybrid war: a view from Kyiv.
- Meduza was removed from, then restored to, the Apple Podcasts platform.
North Korean cyberespionage against a Russian aerospace firm.
Reuters reports that North Korean operators have successfully penetrated NPO Mashinostroyeniya, a rocket design bureau headquartered in a Moscow suburb. The apparent industrial espionage wasn't deterred by Russia's attempts to cultivate closer relations with Pyongyang, which it views as a potential supplier of ammunition and other matériel for the war against Ukraine.
SentinelLabs researchers, the source for the technical details in the Reuters report, found two instances of a North Korean compromise of NPO Mashinostroyeniya. One, the compromise of an email server, was by ScarCruft. The second involved a Windows backdoor, "OpenCarrot," which has been associated with the Lazarus Group. The relationship between the two compromises remains unclear. They could be cooperating, or Pyongang may consider the target important enough to hedge its bets by assigning the Russian firm to two different intelligence groups, to "multiple independent threat actors," as SentinelLabs puts it.
SentinelLabs, in the course of its usual monitoring of North Korean cyber activity, "identified a leaked email collection containing an implant with characteristics related to previously reported DPRK-affiliated threat actor campaigns." This led to discovery of the larger campaign. It's evidence of Pyongyang's determination to advance its missile development program, a goal it probably considers more important than any new collaborative relationship with Moscow.