Microsoft says North Korean hacking groups have breached multiple Russian government and defense targets since the start of the year.

As the company claims in a report published today on threats from East Asia, the threat actors are taking advantage of Russia’s focus on the invasion of Ukraine to harvest intelligence from compromised Russian systems.

“Multiple North Korean threat actors have recently targeted the Russian government and defense industry – likely for intelligence collection – while simultaneously providing material support for Russia in its war on Ukraine,” said Clint Watts, the head of Microsoft’s Digital Threat Analysis Center.

Microsoft is yet to provide further details regarding these attacks, such as what Russian organizations were breached, but the company’s report does provide insight into when some of the attacks occurred.

One Russian aerospace research entity and Russian diplomatic accounts were all hacked this March, according to Redmond.

“In March 2023, Ruby Sleet compromised an aerospace research institute in Russia. Additionally, Onyx Sleet (PLUTONIUM) compromised a device belonging to a university in Russia in early March,” the Microsoft Threat Intelligence team said.

“Separately, an attacker account attributed to Opal Sleet (OSMIUM) sent phishing emails to accounts belonging to Russian diplomatic government entities during the same month.”

North Korean cyberattacks orchestrated by threat groups tracked as Ruby Sleet (aka CERIUM) and Diamond Sleet (aka ZINC and Lazarus) have also extended their scope to include arms manufacturers in various nations, which notably include Germany and Israel.

Defense firms in Brazil, Czechia, Finland, Italy, Norway, and Poland have also been subject to these intrusions, all as part of a coordinated endeavor to enhance the country’s military capabilities.

“From November 2022 to January 2023, Microsoft observed a second instance of targeting overlaps, with Ruby Sleet and Diamond Sleet compromising defense firms,” Microsoft said.

“Since January 2023, Diamond Sleet has also compromised defense companies in Brazil, Czechia, Finland, Italy, Norway, and Poland.”

Microsoft’s report follows one published by SentinelLabs last month linking the APT37 North Korean state-backed hacking group to the breach of Russian missile maker NPO Mashinostroyeniya.

The company is sanctioned by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) for its role in the Russian invasion of Ukraine.

While the attackers’ goal was unclear, SentinelLabs highlighted that the group’s cyber-espionage efforts have focused on stealing data from the networks of compromised organizations.

The OpenCarrot backdoor deployed by APT37 on the systems of the Russian defense entity was previously linked to another North Korean threat group, the Lazarus Group.