Microsoft Warns State-Backed Threat Actors Are Using AI in Attacks

Nation-state actors linked with Russia, North Korea, Iran, and China are exploring the integration of artificial intelligence (AI) and large language models (LLMs) to enhance their existing cyber attack operations.

A report jointly published by Microsoft and OpenAI reveals that both organizations disrupted the efforts of five state-affiliated actors engaging in malicious cyber activities by terminating their assets and accounts.

Microsoft shared with The Hacker News that language support is an inherent feature of LLMs, making them appealing to threat actors focused on social engineering and other tactics involving false and deceptive communications tailored to their targets' professional networks, jobs, and other relationships.

Although no significant or novel attacks utilizing LLMs have been identified thus far, adversarial exploration of AI technologies has advanced through different stages of the attack chain, including reconnaissance, coding assistance, and malware development.

Hackers Using AI for Help With Code Code, Scraping Information

According to the report, the state-affiliated actors mainly sought to leverage OpenAI services for tasks such as querying open-source information, translation, finding coding errors, and executing basic coding tasks.

Some examples of additional threat actors abusing AI are below:

• The Russian nation-state group known as Forest Blizzard (or APT28) utilized OpenAI services for open-source research on satellite communication protocols, radar imaging technology, and scripting tasks.
• North Korean threat actor Emerald Sleet (or Kimusky) employed LLMs to identify experts, think tanks, and organizations focused on defense issues in the Asia-Pacific region, as well as for scripting tasks and drafting content for potential phishing campaigns.
• Iranian threat actor Crimson Sandstorm (or Imperial Kitten) used LLMs for creating code snippets related to app and web development, generating phishing emails, and researching ways malware could evade detection.
• Chinese threat actors Charcoal Typhoon (or Aquatic Panda) and Salmon Typhoon (or Maverick Panda) utilized LLMs for various tasks including researching companies and vulnerabilities, generating scripts, translating technical papers, and retrieving information on intelligence agencies.

Microsoft is in the process of developing a set of principles to mitigate the risks associated with the malicious use of AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates. These principles aim to establish effective guardrails and safety mechanisms around AI models.