Russian, North Korean, Iranian, and Chinese-backed threat actors are attempting to use generative AI to inform, enhance, and refine their attacks, according to a new threat report from Microsoft and OpenAI.
In the first Cyber Signals report of 2024, Microsoft collaborated with its commercial partner OpenAI to conduct research on how to ensure AI technologies like ChatGPT are being used safely and responsibly and mitigate potential misuse.
Microsoft’s research named a number of adversaries, all believed to be state-backed groups, revealing how they are implementing AI tools in their tactics, techniques, and procedures (TTPs).
Forest Blizzard, also known as Strontium, was listed as a highly effective threat actor with links to a specific unit of the Russian military intelligence agency the GRU.
The group was recorded targeting a variety of sectors including defense, transportation/logistics, government, energy, non-governmental organizations (NGOs), and information technology.
Microsoft noted the group is particularly active targeting organizations linked to Russia's war in Ukraine, and characterized the group’s forays into AI-assisted attacks as consisting of LLM-informed reconnaissance and LLM-enhanced scripting techniques.
LLM-informed reconnaissance comprises using generative AI to understand satellite communication protocols and radar imaging tools, the companies said, enabling them to gain valuable insights on potential targets.
LLM-enhanced scripting techniques, on the other hand, refer to using AI models to generate code snippets that can be used to perform functions during an attack.
A Russian-linked group is thought to have been responsible for a recent attack that compromised a database storing recordings of court proceedings from Australia’s Victoria state court system.
Microsoft: North Korea and China continue attacks on US critical infrastructure
North Korean hacking collective Emerald Sleet, also known as Thallium, were highly active throughout 2023, according to the report, with the group’s recent operations using AI-enhanced spear-phishing emails to compromise and gather intel on prominent North Korea specialists.
Micorosft’s threat analysts also recorded the group’s activities overlap with those of other hacking groups tracked by researchers as Kimsuky and Velvet Chollima.
At the end of 2023, North Korea was described as a growing cyber security threat by Cyjax CISO Ian Thornoton-Trump, who cited the nation’s ‘belligerent relationship’ with neighbors South Korea and Japan, as well as the US, as driving the attacks coming out of the region.
Crimson Sandstorm, also known as Curium, is an Iranian threat actor believed to be linked to the Islamic Revolutionary Guard Corps (IRGC), and has been active since at least 2017 targeting defense, maritime shipping, transportation, healthcare, and technology systems.
Microsoft observed the group’s attacks often rely on watering hole attacks, and other social engineering techniques to deliver its proprietary .NET malware.
The group’s use of LLMs reflects the broader behaviors being used by cyber criminals according to analysts at Microsoft, and overlaps with threat actors tracked in other research such as Tortoiseshell, Imperial Kitten, and Yellow Liderc.
As well as using LLMs to enhance their phishing emails and scripting techniques, Crimson Sandstorm was observed using LLMs to assist in producing code to disable antivirus systems and delete files in a directory after exiting an application, all with the aim of evading anomaly detection.
RELATED WHITEPAPER
Microsoft’s threat intelligence team recorded two Chinese state-affiliated groups beginning to use AI technologies to target different regions.
Charcoal Typhoon, also known as Chromium, was identified in the report as targeting sectors including government, higher education, communications, infrastructure, oil & gas, and information technology, with a focus on organizations in Taiwan, Thailand, Mongolia, Malaysia, France, and Nepal.
Salmon Typhoon, also known as Sodium, has a history of launching attacks against the US defense sector including contractors, government agencies, and organizations active in the cryptographic and technology sectors.
The report noted Salmon Typhoon's use of LLMs in 2024 appeared to be limited to research, indicating the group is still exploring the efficacy of LLMs in retrieving sensitive information and scoping out potential targets.
Microsoft’s report follows a warning from the intelligence alliance Five Eyes, which revealed state-backed groups are increasingly employing ‘living off the land’ techniques to maintain access to critical infrastructure systems.
The US’s National Security Agency (NSA), FBI, and Cyber security and Infrastructure Agency (CISA), also recently released details about the methods used by Chinese threat actor Volt Typhoon to compromise the networks of a number of critical national infrastructure organizations.
-
Google CEO Sundar Pichai says vibe coding has made software development ‘exciting again’News Google CEO Sundar Pichai claims software development has become “exciting again” since the rise of vibe coding, but some devs are still on the fence about using AI to code.
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
OpenAI hailed for ‘swift move’ in terminating Mixpanel ties after data breach hits developersNews The Mixpanel breach prompted OpenAI to launch a review into its broader supplier ecosystem
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
Cyber researchers have already identified several big security vulnerabilities on OpenAI’s Atlas browserNews Security researchers have uncovered a Cross-Site Request Forgery (CSRF) attack and a prompt injection technique
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
