Several news posts, including those from OpenAI and Microsoft, have disclosed that five major state-affiliated threat actors are employing OpenAI software for malicious purposes. As such, OpenAI has closed down all of their accounts after identifying them. The threat actors involved in this malicious activity are aligned with China, Iran, North Korea, and Russia, and they are utilizing large language models (LLMs) to enhance their cyber operations.
These nation-state Advanced Persistent Threats (APTs) employing OpenAI’s technology for nefarious purposes are among the most infamous in the world. For instance, Fancy Bear, a notorious group affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), has been utilizing LLMs for a wide range of activities, including file manipulation, intelligence gathering, researching satellite communication protocols, and radar imaging technologies. This is likely connected to their actions in the ongoing war in Ukraine.
Similarly, two Chinese state actors known as Charcoal Typhoon and Salmon Typhoon have been employing AI for a variety of pre-compromise and post-compromise malicious behaviors. Charcoal Typhoon, also known as RedHotel, has been using AI for scripting additional commands and achieving deeper system access, while Salmon Typhoon is primarily utilizing LLMs as an intelligence tool to gather information about high-profile individuals, intelligence agencies, and internal and international politics.
Crimson Sandstorm, a threat actor aligned with Iran, has been using OpenAI to develop phishing material and code snippets to aid their web scraping and other malicious activities. Lastly, Emerald Sleet, associated with North Korea, utilizes OpenAI for basic scripting tasks, phishing content generation, and researching publicly available information on vulnerabilities, experts, think tanks, and government organizations concerned with its defense and nuclear weapons program.
Despite the potential for AI-enhanced nation-state cyber operations, none of the observed LLM abuses have been particularly devastating as of yet. According to a report by Microsoft, the use of LLM technology by threat actors reveals behaviors consistent with AI being used as another productivity tool. However, there is a caveat that companies need to remain vigilant as AI still offers advantages for attackers. Bad actors will likely be able to deploy malware at a larger scale or on systems they previously didn’t have support for, which poses a danger.
Overall, while the abilities of AI to aid in cyber operations cannot be underestimated, it is also important for companies to remain vigilant and continue to prioritize cybersecurity as a fundamental aspect of their operations.
With the increasing sophistication of AI technologies, it is essential for companies and organizations to stay a step ahead of malicious actors to safeguard their systems and data. As AI continues to evolve, it is likely that new threats will emerge, making it imperative for cybersecurity professionals to remain proactive and adapt to the evolving threat landscape.