Unleashing Chaos: APTs' Misuse of Generative AI Disclosed

Published On Sun Feb 02 2025
Unleashing Chaos: APTs' Misuse of Generative AI Disclosed

Adversarial Misuse of Generative AI: How APTs Are Experimenting ...

A new Google Threat Intelligence Group (GTIG) report titled “Adversarial Misuse of Generative AI” provides a detailed analysis of how nation-state cyber actors are experimenting with AI tools, particularly Google’s Gemini, in their offensive cyber operations. Iranian, Chinese, North Korean, and Russian-backed Advanced Persistent Threat (APT) groups have been observed leveraging AI to aid reconnaissance, malware development, and influence campaigns.

Iranian APT Groups

Iranian APT groups, particularly APT42, have been the heaviest users of Gemini, leveraging AI for:

  • Reconnaissance – Researching defense organizations and cybersecurity companies.
  • Phishing Campaigns – Crafting convincing phishing emails and tailoring content for US defense targets.
  • Vulnerability Research – Investigating publicly known vulnerabilities in Atlassian, MikroTik, and Apereo software.

Additionally, Iranian cyber actors experimented with AI-assisted malware development, testing red teaming techniques to see how AI could support offensive cybersecurity operations.

Chinese APT Actors

Chinese APT actors used Gemini for:

  • Reconnaissance – Researching US military operations, defense contractors, and intelligence personnel databases.
  • Malware Development – Converting existing infostealer malware into Node.js, automating Active Directory attacks, and developing Chrome extensions to bypass security controls.
  • Deception – Generating fake company profiles and social engineering materials.

Generative Adversarial Networks (GANs)

Google observed that Chinese hackers frequently used AI to refine intrusion techniques, including privilege escalation and lateral movement within compromised networks.

North Korean Cyber Groups

North Korean cyber groups, including APT43, used AI tools to:

  • Target Financial Institutions – Researching cryptocurrency platforms and financial networks.
  • Enhance Phishing Attacks – Developing convincing job applications and cover letters to place North Korean IT workers inside Western companies.
  • Develop Malware and Evasion Techniques – Writing C++ webcam recording malware, scripting sandbox evasion tactics, and learning how to bypass Google Voice restrictions.

North Korean hackers have a long-standing interest in AI-generated phishing lures and deepfake technology, which could be used to support financial fraud and espionage operations.

Russian APT Groups

Unlike other nations, Russian APT groups had limited engagement with Gemini. However, Google found that Russian actors:

  • Used Gemini for malware reengineering, translating existing malware into different programming languages.
  • Added AES encryption to existing attack tools.
  • Researched how to automate social media disinformation campaigns.

Given that Russia develops its own AI models, it is likely that Moscow-based cyber units are using domestic AI systems rather than publicly available Western platforms.

The misuse of AI in cybercrime is growing, but Google’s report confirms that threat actors are not yet using AI in groundbreaking ways. Instead, APT groups are leveraging AI as an efficiency tool, similar to how they use Metasploit or Cobalt Strike.

However, as AI models continue to evolve, Google expects threat actors to refine their tactics, which could lead to more advanced AI-driven cyber operations in the future.

You must be logged in to post a comment.