Cloudflare warns state-backed hackers are ‘weaponizing legitimate enterprise ecosystems’ as ‘living off the land’ attacks surge
Chinese, North Korean, and Russian-backed threat groups now favor longer-term compromises over brute force attacks
State-sponsored attackers are weaponizing legitimate software and infrastructure to lie in wait, shifting tactics away from data breaches to more sophisticated espionage and disruptive operations.
That's according to a new report from Cloudflare that walked through a series of attacks from Chinese hacks against Google Calendar to North Korean IT worker scams – including a tactic that makes use of AI.
In that attack, the hackers snuck past traditional perimeter defenses by finding credentials hidden in code using secret scanning tools, such as TruffleHog.
"Once these keys to the kingdom were harvested, the actor leveraged generative AI in real time to navigate unfamiliar, complex SaaS environments," the report said.
Examples like this underline how AI is supporting cyber crime operations, the report noted, making it easier for hackers to target legitimate tools and weaponize them against victims.
"The accessibility of generative AI large language models (LLMs) both increases unwitting user risk and significantly lowers the barrier to entry for highly effective operations," researchers said .
"Adversaries have moved beyond technically elegant code to 'offense by the system,' leveraging a victim’s own cloud, SaaS, and AI infrastructure to fund and scale missions."
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Nation-state attackers shift tactics
Cloudflare said it has tracked four primary state actors over the last year, namely Russia, China, North Korea, and Iran. The security firm said it was seeing a blurring of strategic goals, with digital strikes increasingly backing up military actions in conflicts.
China, for example, has shifted away from bulk data theft to targeting legitimate infrastructure such as the cloud for longer-term compromises and strategic "pre positioning" tactics that are ideal for espionage and disruptive operations.
"By weaponizing legitimate enterprise ecosystems – such as FrumpyToad’s use of Google Calendar for C2 or PunyToad’s exploitation of F5 and VMware vCenter and ESXi – Beijing has created a resilient, living-off-the-cloud architecture that allows for rapid data exfiltration while remaining nearly invisible to standard perimeter defenses," the report noted.
Notorious Chinese state-backed hacker groups such as Salt Typhoon have employed living off the land techniques extensively over the last two years, most notably during attacks on US State National Guard networks and US congressional email systems.
Meanwhile, in Russia, groups like NastyShrew use "high-reputation cloud services" to mask their activities in order to continue targeting Ukrainian critical systems.
That includes tactical communication apps used by the Ukrainian military, and Cloudflare suggested that was "possibly in support of physical operations."
The rise of North Korean IT workers
Cloudflare has also observed what it calls the "industrialization" of a scheme run by North Korea in which AI and other tools are used to pose as American workers to get jobs as remote IT workers.
"These operatives infiltrate Western organizations by leveraging fraudulent identities and AI-driven deepfakes to bypass video interviews, ultimately funneling hundreds of millions of dollars in revenue back to the regime," the report notes.
Alongside using AI, threat actors often set up digital personas on LinkedIn and GitHub for more legitimacy – sometimes even "renting" the accounts of real American citizens.
Once employed, these North Korean workers use American-based "laptop farms" that are accessed via remote management and monitoring software from overseas.
As ITPro previously reported, the number of fake IT worker scams has surged over the last 18 months, prompting security agencies and the FBI to issue advisories on how to tackle the issue.
Cloudflare said it's possible to spot such behavior, however, and urged organizations to bolster identity checks.
"Despite these sophisticated tactics, several high-fidelity detection indicators have emerged, including 'impossible travel' login alerts, the presence of mouse-jiggling software, and specific video metadata micro-artifacts consistent with real-time deepfake rendering,” the company said.
Notably, Cloudflare advised shifting away from traditional perimeter defenses in favor of zero trust biometric verification and stricter geofencing for remote management tools.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.
Nicole the author of a book about the history of technology, The Long History of the Future.
-
Cyber experts say they've identified the first case of ‘agentic ransomware’News While the JadePuffer ransomware has alarm bells ringing, it still needed a human in the loop
-
Yorkshire Building Society touts customer service gains with AI agentsNews The firm said that agents Penelope, Sam, and Alf are helping improve customer service, while adhering to high levels of regulation
-
‘The risk to every organization has increased exponentially’: The FortiBleed campaign just took a turn for the worseNews Reports suggest that FortiBleed-linked exposed credentials could put UK government and public services at huge risk
-
US offers $10m bounty for info on Russia-linked hackers behind Signal and WhatsApp attacksNews UNC5792 and UNC4221 have been targeting government officials through their Signal and WhatsApp accounts
-
Duo accused of role in TfL cyber attack plead guilty after ‘lengthy, highly complex, and painstaking investigation’News Around 10 million people are believed to have been affected by the TfL cyber attack
-
Security experts sound alarm over 'expanded' China-linked botnet used to target US critical infrastructure and military assetsNews The China-linked botnet highlights risk of leaving routers and IoT devices unpatched
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
Russian hackers are weaponizing CRMs, Ukraine’s former foreign minister warnsNews Dr Dmytro Kuleba told IT leaders in London that everyday business software is being actively exploited by nation-states
-
Hackers are turning up at law firms to gain physical access to machinesNews The FBI is warning companies to look out for fake IT staff
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees