Microsoft reports North Korean hacking groups targeting Russian government and defense
North Korean hacking groups have breached Russian government and defense targets throughout the year, exploiting Russia’s focus on the Ukraine conflict for intelligence gathering, as reported by Microsoft, with specific incidents noted in March and a wider campaign targeting defense firms in various countries.
Microsoft has revealed that North Korean hacking groups have successfully infiltrated multiple Russian government and defense targets since the beginning of this year. This disclosure is part of a report released today by the company, addressing threats originating from East Asia. The report indicates that these threat actors are capitalizing on Russia’s preoccupation with the Ukraine invasion to gather intelligence from compromised Russian systems.
Clint Watts, the head of Microsoft’s Digital Threat Analysis Center, stated, “Multiple North Korean threat actors have recently targeted the Russian government and defense industry, likely with the aim of collecting intelligence, all while simultaneously providing material support to Russia in its war on Ukraine.”
Microsoft has yet to provide specific details about the breached Russian organizations. However, the report does offer insights into some of the attacks that have taken place. In March 2023, one Russian aerospace research institute and Russian diplomatic accounts were compromised by the threat groups Ruby Sleet (also known as CERIUM) and Onyx Sleet (PLUTONIUM). Additionally, an attacker account attributed to Opal Sleet (OSMIUM) sent phishing emails to accounts belonging to Russian diplomatic government entities during the same month.
These North Korean cyberattacks, carried out by threat groups Ruby Sleet and Diamond Sleet (also known as ZINC and Lazarus), have extended their reach to include arms manufacturers in various countries, including Germany and Israel. Defense companies in Brazil, Czechia, Finland, Italy, Norway, and Poland have also fallen victim to these intrusions, all as part of a coordinated effort to enhance North Korea’s military capabilities.
Microsoft’s observations show that from November 2022 to January 2023, there was a second instance of overlapping targeting, with both Ruby Sleet and Diamond Sleet compromising defense firms. Since January 2023, Diamond Sleet has expanded its scope to target defense companies in Brazil, Czechia, Finland, Italy, Norway, and Poland.
This report from Microsoft follows one published by SentinelLabs last month, which linked the APT37 North Korean state-backed hacking group to the breach of the Russian missile manufacturer NPO Mashinostroyeniya. Notably, NPO Mashinostroyeniya is sanctioned by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) for its role in the Russian invasion of Ukraine.
While the exact motives of the attackers remain unclear, SentinelLabs pointed out that the group’s cyber-espionage efforts have focused on stealing data from the compromised organizations’ networks. The OpenCarrot backdoor used by APT37 in the systems of the Russian defense entity was previously associated with another North Korean threat group, the Lazarus Group.