North Korean hackers have once again targeted the cryptocurrency industry, this time exploiting a zero-day bug in Chrome-based browsers. Microsoft’s cybersecurity researchers discovered evidence of the hackers’ activities on August 19 and identified them as being part of a group called Citrine Sleet. The hackers took advantage of a flaw in the core engine of Chromium, the underlying code of Chrome and other popular browsers. This zero-day vulnerability allowed the hackers to gain control of targeted organizations’ computers and steal cryptocurrency.
The vulnerability exploited by the hackers was unknown to Google, the software maker responsible for Chrome, and therefore no fix was available until two days later when Google patched the bug. Microsoft has notified the targeted and compromised customers but has not disclosed specific details about the organizations affected. Furthermore, the number of targets and victims remains unknown. When asked about the scale of the attack, Microsoft declined to provide further information.
Citrine Sleet, the North Korean hacking group behind the attack, primarily targets financial institutions, specifically those involved in managing cryptocurrency. The group conducts extensive reconnaissance of the cryptocurrency industry and individuals associated with it. Their social engineering techniques involve creating fake websites posing as legitimate cryptocurrency trading platforms to distribute fake job applications or trick targets into downloading weaponized cryptocurrency wallets or trading applications.
The group’s main malware is called AppleJeus, a trojan that collects information necessary to seize control of the targets’ cryptocurrency assets. The attack begins by luring victims to visit a web domain under the hackers’ control. Exploiting another vulnerability in the Windows kernel, the hackers then install a rootkit on the target’s computer. This rootkit is a type of malware that grants deep access to the operating system, giving the hackers complete control over the compromised computer.
This is not the first time North Korean government hackers have targeted the cryptocurrency industry. In fact, a United Nations Security Council panel estimated that the regime has stolen $3 billion in cryptocurrency between 2017 and 2023. The North Korean government has turned to cryptocurrency theft as a means to fund its nuclear weapons program, given the strict international sanctions imposed on the regime.
The latest attack highlights the ongoing threat posed by North Korean hackers to the cryptocurrency industry. It emphasizes the importance of robust cybersecurity measures for organizations involved in managing cryptocurrency assets. As the value and popularity of cryptocurrencies continue to grow, so does the incentive for hackers to target them. Companies must remain vigilant and proactive in implementing cybersecurity measures to protect themselves and their customers from these evolving threats.