Cloudflare warns state-backed hackers are ‘weaponizing legitimate enterprise ecosystems’ as ‘living off the land’ attacks surge

State-sponsored attackers are weaponizing legitimate software and infrastructure to lie in wait, shifting tactics away from data breaches to more sophisticated espionage and disruptive operations.

That's according to a new report from Cloudflare that walked through a series of attacks from Chinese hacks against Google Calendar to North Korean IT worker scams – including a tactic that makes use of AI.

In that attack, the hackers snuck past traditional perimeter defenses by finding credentials hidden in code using secret scanning tools, such as TruffleHog.

"Once these keys to the kingdom were harvested, the actor leveraged generative AI in real time to navigate unfamiliar, complex SaaS environments," the report said.

Examples like this underline how AI is supporting cyber crime operations, the report noted, making it easier for hackers to target legitimate tools and weaponize them against victims.

"The accessibility of generative AI large language models (LLMs) both increases unwitting user risk and significantly lowers the barrier to entry for highly effective operations," researchers said .

"Adversaries have moved beyond technically elegant code to 'offense by the system,' leveraging a victim’s own cloud, SaaS, and AI infrastructure to fund and scale missions."

Nation-state attackers shift tactics

Cloudflare said it has tracked four primary state actors over the last year, namely Russia, China, North Korea, and Iran. The security firm said it was seeing a blurring of strategic goals, with digital strikes increasingly backing up military actions in conflicts.

China, for example, has shifted away from bulk data theft to targeting legitimate infrastructure such as the cloud for longer-term compromises and strategic "pre positioning" tactics that are ideal for espionage and disruptive operations.

"By weaponizing legitimate enterprise ecosystems – such as FrumpyToad’s use of Google Calendar for C2 or PunyToad’s exploitation of F5 and VMware vCenter and ESXi – Beijing has created a resilient, living-off-the-cloud architecture that allows for rapid data exfiltration while remaining nearly invisible to standard perimeter defenses," the report noted.

Notorious Chinese state-backed hacker groups such as Salt Typhoon have employed living off the land techniques extensively over the last two years, most notably during attacks on US State National Guard networks and US congressional email systems.

Meanwhile, in Russia, groups like NastyShrew use "high-reputation cloud services" to mask their activities in order to continue targeting Ukrainian critical systems.

That includes tactical communication apps used by the Ukrainian military, and Cloudflare suggested that was "possibly in support of physical operations."

The rise of North Korean IT workers

Cloudflare has also observed what it calls the "industrialization" of a scheme run by North Korea in which AI and other tools are used to pose as American workers to get jobs as remote IT workers.

"These operatives infiltrate Western organizations by leveraging fraudulent identities and AI-driven deepfakes to bypass video interviews, ultimately funneling hundreds of millions of dollars in revenue back to the regime," the report notes.

Alongside using AI, threat actors often set up digital personas on LinkedIn and GitHub for more legitimacy – sometimes even "renting" the accounts of real American citizens.

Once employed, these North Korean workers use American-based "laptop farms" that are accessed via remote management and monitoring software from overseas.

As ITPro previously reported, the number of fake IT worker scams has surged over the last 18 months, prompting security agencies and the FBI to issue advisories on how to tackle the issue.

Cloudflare said it's possible to spot such behavior, however, and urged organizations to bolster identity checks.

"Despite these sophisticated tactics, several high-fidelity detection indicators have emerged, including 'impossible travel' login alerts, the presence of mouse-jiggling software, and specific video metadata micro-artifacts consistent with real-time deepfake rendering,” the company said.

Notably, Cloudflare advised shifting away from traditional perimeter defenses in favor of zero trust biometric verification and stricter geofencing for remote management tools.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.