Google has issued a warning about North Korean state-sponsored hackers, identified as UNC2970, who are leveraging the AI model Gemini for advanced cyber operations. The tech giant’s Threat Intelligence Group (GTIG) revealed these actors are utilizing AI to gather intelligence and streamline cyber attack processes.
AI-Powered Reconnaissance and Phishing
UNC2970, associated with notorious groups like Lazarus and Hidden Cobra, has been found using Gemini to enhance their reconnaissance capabilities. This includes synthesizing open-source intelligence (OSINT) to profile and target key individuals, primarily in the cybersecurity and defense sectors. By blending routine research with malicious intent, they craft convincing phishing personas to breach systems.
The group is infamous for its ‘Operation Dream Job’, targeting aerospace and energy sectors under the guise of job recruitment. Through AI, they now efficiently map technical roles and salaries, escalating their phishing strategies.
Broader Use of AI in Cyber Attacks
UNC2970 is not alone in utilizing AI for cyber operations. Other hacking groups, such as UNC6418 and Mustang Panda, have integrated AI to gather sensitive data and compile dossiers on individuals. Chinese groups APT31 and APT41 are noted for employing AI to analyze vulnerabilities and troubleshoot exploit codes.
Iranian group APT42 uses AI to create engaging personas for social engineering, while developing tools like a Google Maps scraper. These activities highlight a growing trend of AI weaponization across various state-sponsored hacking entities.
Emerging Threats and Global Implications
Google also highlighted the use of malware called HONESTCUE, which employs Gemini’s API for generating functional code. Additionally, the AI-generated phishing kit COINBAIT poses as a cryptocurrency exchange to harvest credentials. These tactics point to a sophisticated level of cyber threat sophistication.
Recent ‘ClickFix’ campaigns illustrate how AI is used to deliver malware by hosting instructions on common computer issues. Furthermore, Google thwarted model extraction attacks aimed at replicating AI model behavior, a tactic illustrated by a Praetorian-led PoC attack achieving high accuracy through systematic querying.
The threat landscape is evolving rapidly, with AI playing a pivotal role in cyber attacks. As organizations continue to rely on AI, understanding these threats becomes crucial for maintaining cybersecurity.
