Microsoft Warns of North Korean Hackers Targeting Russian Govt, Defense Orgs

According to a report published today by Microsoft on threats from East Asia, multiple North Korean hacking groups have successfully breached Russian government and defense targets since the beginning of the year. These threat actors are taking advantage of Russia’s focus on the invasion of Ukraine to gather intelligence from compromised Russian systems.

Clint Watts, the head of Microsoft’s Digital Threat Analysis Center, stated, “Multiple North Korean threat actors have recently targeted the Russian government and defense industry – likely for intelligence collection – while simultaneously providing material support for Russia in its war on Ukraine.”

While Microsoft has not disclosed specific details about the breached Russian organizations, their report does shed light on the timing of some of the attacks. In March 2023, an aerospace research institute and Russian diplomatic accounts were compromised by the North Korean threat groups Ruby Sleet and Onyx Sleet (PLUTONIUM). The Microsoft Threat Intelligence team also discovered that Opal Sleet (OSMIUM) sent phishing emails to accounts belonging to Russian diplomatic government entities during the same month.

These North Korean cyberattacks, carried out by groups known as Ruby Sleet (aka CERIUM) and Diamond Sleet (aka ZINC and Lazarus), have expanded their scope to include arms manufacturers in various countries, including Germany and Israel. Defense firms in Brazil, Czechia, Finland, Italy, Norway, and Poland have also fallen victim to these intrusions, all part of a coordinated effort to enhance North Korea’s military capabilities.

Microsoft’s report follows one published by SentinelLabs, which linked the North Korean state-backed hacking group APT37 to the breach of Russian missile maker NPO Mashinostroyeniya. This company is sanctioned by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) due to its involvement in the Russian invasion of Ukraine.

Although the exact motives of the attackers remain unclear, SentinelLabs notes that the cyber-espionage efforts of APT37 have primarily focused on stealing data from compromised organizations’ networks. The OpenCarrot backdoor, which was deployed by APT37 on the systems of the Russian defense entity, has previously been associated with another North Korean threat group, the Lazarus Group.