According to Microsoft, a North Korean hacking group exploited a previously unknown bug in Chrome to target organizations in early August with the aim of stealing cryptocurrency.
In a report published on Friday, cybersecurity researchers at the tech giant said they first saw evidence of the hackers' activity on Aug. 19 and that the hackers were linked to a group known as “Citrine Sleet,” which is known for targeting the cryptocurrency industry.
According to the report, the hackers exploited a flaw in a core engine within Chromium, the underlying code for popular browsers like Chrome and Microsoft Edge. At the time the hackers exploited the vulnerability, it was a zero-day vulnerability, meaning the software maker (in this case, Google) was unaware of the bug and didn't have time to issue a fix before it was exploited. Google fixed the bug two days later, on August 21, according to Microsoft.
Google spokesman Scott Westover told TechCrunch that the company had no comment other than to confirm that the bug had been fixed.
Microsoft said it had notified “those customers who were targeted and compromised,” but did not provide details about who was targeted or how many targets and victims were involved in the hacking campaign.
Contact Us Do you have more information about North Korean government hackers or other government-sponsored hacking activities? You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device via Signal (+1 917 257 1382), Telegram, Keybase @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
When asked by TechCrunch, Microsoft spokesperson Chris Williams declined to say how many organizations or companies were affected.
The researchers said Citrin Sleet is “based in North Korea and primarily targets financial institutions, particularly organizations and individuals who control cryptocurrencies, for financial gain,” adding that the group has “done extensive reconnaissance on the cryptocurrency industry and individuals associated with it” as part of its social engineering techniques.
“Threat actors create fake websites posing as legitimate cryptocurrency trading platforms and use them to distribute fake job postings or lure targets into downloading weaponized cryptocurrency wallets and trading applications based on legitimate applications,” the report states. “Citrine Sleet most commonly infects targets with its custom-developed Trojan malware, AppleJeus, to gather information needed to seize control of the victim's cryptocurrency assets.”
The North Korean hackers' attacks began by tricking victims into visiting web domains they controlled, then exploiting another vulnerability in the Windows kernel that allowed them to install a rootkit – a type of malware that gives deep access to the operating system – on the targeted computers, the Microsoft report said.
At that point, the hacker has complete control over the hacked computer, and it's essentially game over when it comes to the targeted victim's data.
Cryptocurrencies have long been an attractive target for North Korean government hackers, with a United Nations Security Council committee concluding that the regime stole $3 billion worth of cryptocurrencies between 2017 and 2023. With Kim Jong Un's regime subject to strict international sanctions, the regime has turned to cryptocurrencies to fund its nuclear weapons program.