Nation-State APTs Leveraging OpenAI Technology
The utilization of large language models (LLMs) by Advanced Persistent Threats (APTs) associated with China, Iran, North Korea, and Russia has been brought to light in recent blog posts by OpenAI and Microsoft. These major threat actors have been employing OpenAI software for various purposes, including research, fraudulent activities, and other malicious endeavors. Following the identification of these actors, OpenAI took decisive action by closing all associated accounts.
Despite the initial apprehension surrounding AI-enhanced cyber operations by nation-states, there is a silver lining: the observed misuse of LLM technology by threat actors has not resulted in any significantly catastrophic outcomes thus far.
Microsoft’s report highlighted that the current use of LLM technology by threat actors indicates a familiar pattern of AI being utilized as a productivity tool rather than for groundbreaking attack strategies. Both Microsoft and OpenAI have not yet detected any notably innovative or distinctive AI-enabled attack techniques stemming from threat actors’ adoption of AI.
The Nation-State APTs Embracing OpenAI
The nation-state APTs leveraging OpenAI at present are among the most infamous worldwide.
One such group, tracked by Microsoft as Forest Blizzard but more commonly known as Fancy Bear, has a notorious history including the hacking of the Democratic National Committee and instigating unrest in Ukraine. This GRU-affiliated military unit has been employing LLMs for basic scripting tasks, intelligence gathering, and research on satellite communication protocols and radar imaging technologies, likely related to the conflict in Ukraine.
In China, two state actors, Charcoal Typhoon (also known as Aquatic Panda, ControlX, RedHotel, BRONZE UNIVERSITY) and Salmon Typhoon (also identified as APT4, Maverick Panda), have been actively utilizing AI, particularly ChatGPT. Charcoal Typhoon has been leveraging AI for pre-compromise malicious activities, post-compromise operations, and other advanced commands. On the other hand, Salmon Typhoon has primarily used LLMs for intelligence gathering purposes.
Iran’s Crimson Sandstorm (also referred to as Tortoiseshell, Imperial Kitten, Yellow Liderc) has turned to OpenAI for phishing material development and code snippets to support their web scraping operations.
Lastly, Kim Jong-Un’s Emerald Sleet (Kimsuky, Velvet Chollima) from North Korea has been employing OpenAI for basic scripting tasks, phishing content creation, and research on vulnerabilities and defense-related entities.
AI’s Impact on Cyber Operations
Despite the significant potential of AI in cyber operations, the current malicious uses of AI, while concerning, have not yet reached the level of science fiction-like capabilities. Threat actors are leveraging LLMs to expedite code writing processes, particularly in malware development, without introducing groundbreaking advancements. However, the efficiency gains from utilizing AI cannot be overlooked.
While the impact of AI in cyber operations may not be revolutionary at present, there are still advantages for attackers. Bad actors can potentially scale up malware deployment and expand their reach to new systems by leveraging LLMs for code translation. The stealthy nature of novel AI applications poses a potential risk that has not yet been fully recognized by security companies.
In conclusion, maintaining vigilance and adhering to fundamental security practices are crucial in mitigating the risks associated with AI-enhanced cyber threats.
