Recent findings by Google Threat Intelligence Group reveal that over 57 distinct cyber threat actors with ties to China, Iran, North Korea, and Russia are exploiting artificial intelligence (AI) technology, particularly Google’s AI models, to enhance their malicious cyber and information operations. This growing trend reveals the increasing role of AI in cyber warfare and espionage.
According to a new report from Google Threat Intelligence Group (GTIG), threat actors have been integrating Gemini into their operations to improve efficiency rather than creating entirely new capabilities. These entities primarily utilize AI for research, debugging code, and generating as well as localizing content (GTIG, 2024).
AI in Cyber Attack Cycles
State-sponsored hacking groups, commonly referred to as Advanced Persistent Threats (APTs), have been found using AI to optimize multiple attack phases. These include coding and scripting, payload development, reconnaissance on potential targets, analyzing publicly known vulnerabilities, and executing post-compromise strategies such as evading detection and security defenses (GTIG, 2024).
Iranian APTs: The Most Active Users of AI
GTIG identified Iranian APT groups as the most frequent users of Google’s AI tools. Notably, APT42, responsible for over 30% of Gemini-related activity originating from Iran, has been leveraging AI to orchestrate phishing attacks, conduct surveillance on defense organizations and experts, and create content related to cybersecurity.
APT42, which overlaps with other hacking collectives like Charming Kitten and Mint Sandstorm, is known for sophisticated social engineering tactics aimed at infiltrating networks and cloud environments. In May 2023, cybersecurity firm Mandiant uncovered the group’s efforts to target Western and Middle Eastern NGOs, media outlets, academic institutions, legal firms, and activists by masquerading as journalists and event coordinators (according to Mandiant, 2023).
Beyond cyber espionage, Iranian hackers have also explored AI to study military and weapons systems, analyze strategic trends in China’s defense industry, and understand U.S.-made aerospace technologies.
China’s Use of AI in Cyber Espionage
Chinese APTs have been observed leveraging AI for reconnaissance purposes, debugging malicious code, and refining their network penetration techniques. Specifically, they have explored AI-powered methods for lateral movement, privilege escalation, data exfiltration, and stealth operations aimed at avoiding detection.
Russian and North Korean APTs’ AI Tactics
Russian state-backed hackers have primarily used Gemini to modify publicly available malware, translating code into different programming languages and embedding encryption layers for added obfuscation.
Meanwhile, North Korean threat actors have taken a unique approach, using Google’s AI platform to gather intelligence on infrastructure and hosting providers. One particularly concerning trend is their use of AI to draft job applications and research employment opportunities in Western tech companies. According to GTIG, a North Korean hacking group utilized Gemini to create cover letters, draft job proposals, and gather information on salaries and job descriptions, likely to facilitate covert IT placements in foreign firms.
The Rise of Malicious AI Models
Beyond Gemini, the cybersecurity community has identified underground forums promoting unethical AI-driven tools designed to bypass security safeguards. Some of the most notorious models include WormGPT, WolfGPT, EscapeGPT, FraudGPT, and GhostGPT. These models are engineered specifically to generate highly convincing phishing emails, facilitate business email compromise (BEC) attacks, and develop fraudulent websites.
Influence Operations and AI-Powered Disinformation
Threat groups from Iran, China, and Russia have also weaponized AI for propaganda campaigns, utilizing it for real-time event analysis, content creation, translation, and localization to spread disinformation. Overall, APT actors from over 20 countries have engaged with Gemini in various capacities.
Google’s Countermeasures and Call for Collaboration
In response to these developments, Google has been proactively deploying defenses to prevent misuse, including countermeasures against prompt injection attacks. The tech giant has also stressed the need for stronger collaboration between the public and private sectors to bolster cybersecurity resilience. As part of this effort, Google emphasized the importance of cooperation between American industry and government to strengthen national and economic security.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: