Nation-state actors linked to Russia, North Korea, Iran, and China are exploring the applications of artificial intelligence (AI) and large language models (LLMs) in conjunction with their ongoing cyber attack endeavors.
The insights are drawn from a Microsoft report created in partnership with OpenAI, which disclosed interventions made against five state-affiliated actors utilizing AI services for malevolent cyber operations by terminating their assets and accounts.
The report highlighted that LLMs inherently possess language capabilities, making them appealing to threat actors who heavily rely on social engineering tactics and deceptive communications tailored to their targets’ professional spheres and relationships.
Although no significant or innovative attacks utilizing LLMs have been identified thus far, the adversarial exploitation of AI technologies has progressed across different stages of the attack process, including reconnaissance, code development, and malware creation.
Specifically, the Russian nation-state group known as Forest Blizzard (also identified as APT28) utilized these resources for open-source research on satellite communication protocols, radar imaging technology, and scripting support.
Here are some of the prominent hacking groups mentioned in the report:
-
Emerald Sleet (aka Kimusky), a North Korean threat actor, leveraged LLMs to pinpoint experts, think tanks, and defense-focused organizations in the Asia-Pacific region, understand vulnerabilities, assist in basic scripting tasks, and craft content for potential phishing campaigns.
-
Crimson Sandstorm (aka Imperial Kitten), an Iranian threat actor, employed LLMs to generate code snippets for app and web development, create phishing emails, and explore evasion techniques for malware detection.
-
Charcoal Typhoon (aka Aquatic Panda), a Chinese threat actor, utilized LLMs for company and vulnerability research, script generation, content creation for phishing campaigns, and identification of post-compromise tactics.
-
Salmon Typhoon (aka Maverick Panda), another Chinese threat actor, used LLMs for translating technical documents, gathering intelligence on multiple agencies and regional threat actors, debugging code, and discovering evasion methods.
Microsoft is actively developing a framework of principles to address the risks associated with the malevolent use of AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates. These principles encompass proactive identification and response to malicious actors, collaboration with relevant stakeholders, and ensuring transparency in their efforts to safeguard against misuse.
