Emerald Sleet, Crimson Sandstorm, and Charcoal Typhoon are prominent threat actors that have been using the assistance of large language models (LLMs) to execute their cyber activities, as per a recent report. The three groups have been identified as North Korean, Iranian, and Chinese state-affiliated threat actors, respectively, and have been leveraging LLMs in various ways to support their malicious operations.
One of the key findings from the report is that Emerald Sleet, a North Korean threat actor, has been using LLMs to understand and exploit publicly known vulnerabilities. They have utilized LLM-assisted vulnerability research to better comprehend vulnerabilities such as the CVE-2022-30190 Microsoft Support Diagnostic Tool (MSDT) vulnerability. Additionally, Emerald Sleet has also employed LLMs for basic scripting tasks and social engineering purposes, particularly for drafting content for spear-phishing campaigns against individuals with regional expertise.
Moving on to Crimson Sandstorm, an Iranian group connected to the Islamic Revolutionary Guard Corps (IRGC), the report highlights their use of LLMs in social engineering, scripting, and anomaly detection evasion. Crimson Sandstorm has used LLM-supported social engineering to generate phishing emails and enhance scripting techniques for app and web development, interactions with remote servers, and evading anomaly detection through code development. This group has also attempted to leverage LLMs for assistance in developing code to evade detection, disable antivirus, and delete files after an application has been closed.
Lastly, Charcoal Typhoon, a Chinese state-affiliated threat actor primarily targeting entities within Taiwan, Thailand, Mongolia, Malaysia, France, and Nepal, has utilized LLMs for research, understanding specific technologies and vulnerabilities, and scripting purposes. Their use of LLM-informed reconnaissance has been instrumental in gathering preliminary information about technologies, platforms, and vulnerabilities. Additionally, Charcoal Typhoon has employed LLM-enhanced scripting techniques to generate and refine scripts for automating complex cyber tasks and operations.
The report’s findings shed light on how threat actors are integrating LLMs into their malicious activities, leveraging these language models for vulnerability research, social engineering, anomaly detection evasion, and various scripting tasks. It underscores the evolving nature of cyber threats and the increasing sophistication of malicious actors in exploiting advanced technologies for their nefarious purposes.
Overall, the use of LLMs by these threat actors represents a concerning trend in the cybersecurity landscape, highlighting the need for enhanced measures to detect and mitigate the impact of such activities. As threat actors continue to adapt and evolve their tactics, the cybersecurity community must remain vigilant and proactive in addressing these emerging challenges.