Microsoft released new research on Wednesday, highlighting how nation-state threat actors are increasingly using generative AI tools in their operations. Although Microsoft stated that the heightened use of GenAI does not currently pose a direct threat to businesses, the company stressed the need for organizations to enhance their security protocols in response to recent nation-state activity.
In a blog post, Microsoft Threat Intelligence and its collaborative partner OpenAI identified five nation-state threat actors that have been observed using large language models (LLMs), such as ChatGPT, to support their attacks. According to the research, these threat actors have utilized LLMs for a variety of purposes, including conducting research on specific technologies and vulnerabilities, gathering information on regional geopolitics and high-profile individuals, and other intelligence-gathering activities.
While Microsoft’s research has not detected any significant attacks employing the LLMs they monitor, the company still believes it is crucial to publish this research to bring attention to early-stage attempts by well-known threat actors and share information on how they are countering them with the defender community.
This aligns with earlier warnings from the U.K.’s National Cyber Security Centre, which predicted that AI will lead to an uptick in cyber threats over the next two years. Microsoft’s Chief Cybersecurity Adviser Bret Arsenault emphasized in the report that the dual utility of AI tools for both defenders and adversaries complicates the threat landscape. Although AI has the potential to empower organizations to combat cyber threats more efficiently, it can also provide adversaries with new tools to enhance their attacks.
The report highlighted that traditional security tools are inadequate in keeping up with the evolving threat landscape, which has seen an increase in the frequency, severity, speed, and sophistication of cyberattacks. Microsoft contends that the use of generative AI will only add to the challenges faced by organizations.
The company’s research detailed how several nation-state adversaries, such as Russia’s Forest Blizzard, North Korea’s Emerald Sleet, and China-affiliated threat actors Charcoal Typhoon and Salmon Typhoon, have been employing LLMs in their operations. Each group leveraged AI tools for various purposes, including research, technical investigation, and information gathering.
For example, Forest Blizzard was observed using LLMs for research into satellite and radar technologies relevant to Ukrainian military operations. The threat actor sought to acquire in-depth knowledge of satellite capabilities by utilizing LLM technology. Meanwhile, Charcoal Typhoon used LLMs to enhance scripting techniques and automate complex cyber tasks. North Korean adversary Emerald Sleet carried out tasks such as basic scripting and spear phishing campaigns using LLMs to assist with technical issues and vulnerabilities.
The report also highlighted the potential impact of AI on social engineering, with Microsoft expressing concerns about how AI could be used to undermine identity proofing and impersonate individuals. The company warned that improved accuracy in impersonation could lead to more successful social engineering campaigns, emphasizing the need to develop capabilities to identify malicious emails beyond just their composition.
To address these challenges, Microsoft recommended implementing security best practices for platforms such as Microsoft Teams and utilizing tools like Microsoft Security Copilot. The company also called for transparency in AI supply chains, regular assessments of AI vendors, and proactive communication of AI policies and potential risks to employees.
In conclusion, Microsoft’s research underscores the growing influence of generative AI in nation-state threat actor operations and the need for organizations to adapt their security protocols to address this rapidly evolving threat landscape. As the use of AI tools continues to evolve, it is imperative for defenders to remain vigilant and continuously reassess their security measures to mitigate the risks posed by nation-state threat actors and advanced persistent threats.