Crypto Theft: North Korean Hackers Exploit Chrome Zero-Day Vulnerability

In August, a North Korean hacking group launched a sophisticated cyberattack by exploiting a previously unknown vulnerability in Google Chrome, with the primary objective of targeting organizations to steal cryptocurrency. This incident has brought to light the persistent and evolving threat posed by state-sponsored hacking groups from North Korea, particularly those focusing on the lucrative and rapidly expanding cryptocurrency industry. The attack was meticulously detailed in a report by Microsoft, which underscored the severity and precision of the hacking group's tactics.

The hacking group in question, identified by Microsoft as "Citrine Sleet," is notorious for its specialized focus on the financial sector, specifically targeting institutions and individuals involved in the management and trade of digital assets. Microsoft’s cybersecurity team first detected suspicious activities linked to Citrine Sleet on August 19. Upon investigation, they discovered that the hackers had exploited a critical flaw within Chromium, the underlying open-source engine that powers Google Chrome, as well as other popular web browsers like Microsoft Edge.

This flaw was particularly dangerous because it was classified as a "zero-day" vulnerability. In cybersecurity parlance, a zero-day vulnerability refers to a previously unknown security flaw that the software vendor—in this case, Google—was unaware of and therefore had "zero days" to fix before it was exploited by attackers. The discovery of such a vulnerability typically places immense pressure on the affected software company to develop and release a patch as quickly as possible to mitigate potential damage. In this instance, Google responded swiftly by patching the vulnerability on August 21, just two days after Microsoft reported it. However, despite this prompt response, the damage caused by the attack had already taken place.

Microsoft confirmed that they had notified the targeted and compromised customers but chose not to disclose specific details about the number of affected organizations or the extent of the damage. The report provided a broader overview of Citrine Sleet's operations, describing the group as a North Korean entity that has been actively involved in cyber espionage and theft, with a particular focus on the cryptocurrency industry. This aligns with North Korea's broader strategy of using cyberattacks as a means to generate income for the regime, especially in light of the severe international sanctions that have crippled its economy.

Citrine Sleet's modus operandi involves extensive reconnaissance and social engineering—a method where hackers manipulate individuals into divulging confidential information. The group meticulously researches its targets within the cryptocurrency sector, often creating highly convincing fake websites that masquerade as legitimate cryptocurrency trading platforms or financial services. These fake websites are designed to lure unsuspecting victims into downloading malicious software or clicking on harmful links. One of the primary tools used by Citrine Sleet is a custom-built trojan malware known as AppleJeus. Once installed on a victim's system, AppleJeus collects sensitive information that is crucial for gaining control over the victim's cryptocurrency assets.

The attack process typically starts with the victim being tricked into visiting a web domain that appears legitimate but is actually controlled by the hackers. Upon visiting this compromised site, the attackers exploit another vulnerability—this time within the Windows operating system's kernel. This allows them to install a rootkit, a type of deeply embedded malware that grants the hackers persistent, undetectable access to the target's computer. With this rootkit in place, the attackers effectively gain full control over the compromised system, enabling them to steal data, monitor activities, and potentially move laterally within the network to target other systems.

This incident is part of a broader pattern of cybercriminal activities attributed to North Korea, particularly in the realm of cryptocurrency theft. The North Korean regime, under the leadership of Kim Jong Un, has increasingly relied on cybercrime as a means to circumvent international sanctions and generate revenue for its various illicit programs, including its controversial nuclear weapons development. According to a report by a United Nations Security Council panel, North Korea is estimated to have stolen approximately $3 billion in cryptocurrency between 2017 and 2023. This staggering figure highlights the scale and success of the regime's cyber operations, which have become a critical component of its strategy for economic survival and military expansion.

The case of Citrine Sleet and their exploitation of the Chrome vulnerability underscores the ongoing and growing threat of state-sponsored cyberattacks, particularly from North Korea. It also serves as a reminder of the importance of vigilance, timely software updates, and robust cybersecurity measures in protecting against such sophisticated threats. As the cryptocurrency industry continues to grow and evolve, it will likely remain a prime target for cybercriminals, making the need for advanced security practices more critical than ever.