Rewterz Threat Update – Nation-State APT Groups Weaponize Artificial Intelligence and Large Language Modules for Cyber Attacks

Severity

High

Analysis Summary

Microsoft warns that nation-state advanced persistent threat (APT) groups linked to North Korea, Russia, China, and Iran are incorporating artificial intelligence (AI) and large language modules (LLMs) to help with their newest cyber attack operations.

A recent joint advisory published by Microsoft and OpenAI stated that they managed to successfully disrupt efforts made by the five state-linked actors who used its AI services to carry out cybercrimes. This was achieved by terminating their assets and accounts. LLMs support languages as a natural feature that attracts threat actors who focus on social engineering techniques as well as other techniques that rely on deception and false communications tailored to their victim’s jobs, professional networks, and other similar relationships.

No notable or new attacks that employ LLMs have been detected so far. Still, the exploration of threat actors of AI technologies has gone beyond the multiple attack chain stages, like reconnaissance, coding assistance, and malware development. The threat actors usually like to use OpenAI services for querying open-source information, finding coding errors, translating information, and even running basic coding tasks. For example, the Russia-linked APT group called APT28 (Forest Blizzard) is believed to have used its offerings to perform open-source research into satellite communication protocols and technology for radar imaging, as well as to help with scripting tasks. Some of the other APT groups that are worth mentioning are:

• Kimsuky (aka Emerald Sleet), a North Korea-attributed threat actor, has been observed using LLMs for identifying experts, organizations, and think tanks that focus on defense within the Asia-Pacific region and to understand the publicly revealed vulnerabilities, support with basic scripting tasks, and create content that can be used in phishing campaigns.
• Imperial Kitten (aka Crimson Sandstorm) is an Iranian threat group that has frequently used LLMs to generate code snippets related to app and web development, create phishing emails, and research common ways malware can evade being detected.
• Aquatic Panda (aka Charcoal Typhoon), a China-linked threat group, has utilized LLMs to research many different companies and vulnerabilities, create scripts, generate content to be used in phishing campaigns, and identify techniques to use for post-exploitation.
• Maverick Panda (aka Salmon Typhoon) is another Chinese threat group that has leveraged LLMs for translating technical papers, fetching information that is publicly available on various intelligence agencies and regional threat actors, resolving coding errors, and finding detection evasion tactics.

The report also stated that the security researchers are developing a set of principles that will help mitigate the risks posed by the malicious use by APT groups of AI tools and APIs and conceive effective safety mechanisms around its models. These principles include identifying and taking action against malicious users and warning other AI service providers as well as collaborating with other stakeholders.

Impact

• Cyber Espionage
• Sensitive Information Theft

Remediation

• Conduct regular cybersecurity awareness training for all employees to educate them about the risks of phishing, social engineering, and other cyber threats. Employees should be trained to recognize suspicious emails and avoid clicking on links or opening attachments from unknown sources.
• Deploy advanced email security solutions that can detect and block phishing attempts and malicious attachments.
• Keep all software, operating systems, and applications up-to-date with the latest security patches. Regularly apply updates to address known vulnerabilities that threat actors may exploit.
• Use robust endpoint protection tools that can detect and prevent malware activities on endpoints.
• Maintain regular backups of critical data and systems on offline or offsite storage.
• Implement network segmentation to create isolated subnetworks. This limits the lateral movement of malicious activities within the network, making it harder for the malware to spread to critical systems.
• Limit access to sensitive systems and data only to authorized personnel. Implement strong access controls, including the principle of least privilege, to reduce the attack surface.
• Implement robust security monitoring and intrusion detection systems to identify unusual activities and behaviors.
• Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
• Disable or remove unnecessary services and applications to minimize the attack surface and reduce the risk of exploitation.
• Implement secure development practices when building AI and other software tools to prevent potential misuse by cyber criminals.