AI-Powered Cyber Threats: A Growing Concern

The Rise of AI-Driven Cyber Operations

Over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia have been observed using artificial intelligence (AI) technology powered by Google to further enable their malicious cyber and information operations.

The Role of Gemini in Cyber Threats

Google Threat Intelligence Group (GTIG) stated that threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities. At present, they primarily use AI for research, troubleshooting code, and creating and localizing content.

Government-Backed Attackers

Government-backed attackers, otherwise known as Advanced Persistent Threat (APT) groups, have sought to use Gemini’s tools to bolster multiple phases of the attack cycle, including coding and scripting tasks, payload development, gathering information about potential targets, researching publicly known vulnerabilities, and enabling post-compromise activities, such as defense evasion.

Cybersecurity Threats

Cybersecurity threats have been on the rise, with APT groups from more than 20 countries using Gemini. Describing Iranian APT actors as the "heaviest users of Gemini," GTIG said the hacking crew known as APT42, which accounted for more than 30% of Gemini use by hackers from the country, leveraged its tools for crafting phishing campaigns, conducting reconnaissance on defense experts and organizations, and generating content with cybersecurity themes.

APT42: A Notorious Threat Actor

APT42, which overlaps with clusters tracked as Charming Kitten and Mint Sandstorm, has a history of orchestrating enhanced social engineering schemes to infiltrate target networks and cloud environments. Last May, Mandiant revealed the threat actor’s targeting of Western and Middle Eastern NGOs, media organizations, academia, legal services, and activists by posing as journalists and event organizers.

North Korean APT Actors

North Korean actors employed Google’s AI service to research infrastructure and hosting providers. GTIG noted that one North Korea-backed group utilized Gemini to draft cover letters and proposals for job descriptions, researched average salaries for specific jobs, and asked about jobs on LinkedIn.

Underground Forum Posts

The tech giant further noted that it has seen underground forum posts advertising nefarious versions of large language models (LLMs) that are capable of generating responses sans any safety or ethical constraints.

The Need for Public-Private Collaboration

Google emphasized the need for heightened public-private collaboration to raise cyber defenses and disrupt threats, stating "American industry and government need to work together to support our national and economic security."

AI-Driven Phishing Attacks

Examples of AI-driven phishing attacks include WormGPT, WolfGPT, EscapeGPT, FraudGPT, and GhostGPT, which are explicitly designed to craft personalized phishing emails, generate templates for business email compromise (BEC) attacks, and design fraudulent websites.

Influence Operations

Attempts to misuse Gemini have also revolved around research into topical events, and content creation, translation, and localization as part of influence operations mounted by Iran, China, and Russia.

Countermeasures

Google is actively deploying defenses to counter prompt injection attacks. The company has emphasized the need for heightened public-private collaboration to raise cyber defenses and disrupt threats.

Conclusion

The use of AI-powered cyber threats is a growing concern, with threat actors from over 20 countries using Gemini. It is essential for industry and government to work together to support national and economic security. By understanding the role of AI in cyber threats, we can develop effective countermeasures to disrupt and prevent these attacks.

Stay Informed

Follow us on Twitter and LinkedIn to read more exclusive content we post.