In a recent cyberattack, North Korean hackers leveraged an undisclosed flaw in Google Chrome to breach organizations and steal cryptocurrency. The attack, which took place in August 2023, was carried out by a group known as Citrine Sleet, notorious for its focus on the cryptocurrency industry. This event underscores the tenacious threat posed by state-sponsored hackers, especially from North Korea, who have increasingly turned to cryptocurrency theft as a way to bypass international penalty.
 The Zero-Day Vulnerability: A Race Against the Clock
The attack revolved around a zero-day vulnerability in Chromium, the open-source foundation of Chrome and other browsers like Microsoft Edge. A zero-day vulnerability is a software flaw that the vendor—in this case, Google—is unaware of, meaning they have no time to issue a patch before hackers utilize it.
Microsoft’s cybersecurity researchers reported the attack’s first signs on August 19, 2023. The hackers used the flaw to launch a targeted campaign against organizations within the cryptocurrency sector. Google responded quickly by patching the vulnerability within two days, on August 21. However, the hackers had already begun their operations, highlighting how critical timing is when dealing with zero-day exploits, which give attackers a narrow window to act before a fix is available.
Citrine Sleet: A Growing Menace
The group behind this attack, Citrine Sleet, is believed to operate from North Korea and has a track record of targeting financial institutions, especially those involved in cryptocurrency. This group’s actions are part of a bigger strategy by the North Korean regime to fund its nuclear weapons program through cybercrime.
Citrine Sleet used sophisticated social engineering tactics to penetrate their targets. According to Microsoft, the group created fake websites that appeared to be legitimate cryptocurrency trading platforms. These sites were used to distribute malware disguised as job applications or to entice victims into downloading compromised cryptocurrency wallets or trading apps. The malware, known as AppleJeus, is a custom trojan designed to take over the victim’s cryptocurrency assets.
The Attack Process: From Social Engineering to Deep System Control
The attack started by deceiving victims into visiting malicious websites under the hackers’ control. Once a target accessed one of these sites, the hackers utilized the Chrome vulnerability to gain initial entry to the victim’s computer. However, this was just the beginning of a more complex, multi-stage attack.
The hackers then took advantage of another vulnerability in the Windows operating system, allowing them to install a rootkit—a type of malware that grants attackers deep entry to the system—on the victim’s computer. With the rootkit installed, the hackers gained complete control over the victim’s machine, enabling them to steal sensitive data, such as cryptocurrency wallet credentials and private keys.
Cryptocurrency has become an increasingly attractive target for North Korean hackers. According to a United Nations Security Council report, the regime has stolen around $3 billion in cryptocurrency between 2017 and 2023. These stolen funds are believed to support North Korea’s nuclear weapons program, as the country faces strict international sanctions that limit its access to traditional financial resources.
The Citrine Sleet attack underscores the ongoing threat that state-sponsored hacking groups pose to the global financial system, particularly within the fast-evolving cryptocurrency market. As digital currencies become more integrated into the global economy, the risks associated with such cyberattacks continue to escalate.
This incident highlights the crucial need for vigilance and rapid response in the face of cybersecurity threats. While Google’s quick patching of the Chrome vulnerability mitigated some of the potential damage, the attack serves as a stark reminder that zero-day exploits remain a powerful tool for cybercriminals. Organizations, especially those in the financial sector, must be vigilant against emerging threats and ensure that their systems are continuously updated and protected against known vulnerabilities.
Furthermore, this attack emphasizes the importance of robust cybersecurity practices, including advanced threat detection and employee training to identify and avoid social engineering techniques. As state-sponsored hacking groups like Citrine Sleet develop more sophisticated methods, the global cybersecurity community must adapt and strengthen its defenses to effectively counter these threats.
The exploitation of a Chrome zero-day vulnerability by North Korean hackers is a clear indication of the growing threat landscape in today’s digital world. As state-sponsored groups increasingly resort to cybercrime to achieve their geopolitical aims, the importance of strong cybersecurity measures cannot be overstated. The Citrine Sleet incident serves as a crucial reminder for organizations worldwide to bolster their defenses and remain vigilant against the constant risk of cyberattacks.