Russian, North Korean, Iranian, and Chinese-backed threat actors are attempting to use generative AI to inform, enhance, and refine their attacks, according to a new threat report from Microsoft and OpenAI.
In the first Cyber Signals report of 2024, Microsoft collaborated with its commercial partner OpenAI to conduct research on how to ensure AI technologies like ChatGPT are being used safely and responsibly and mitigate potential misuse.
Microsoft’s research named a number of adversaries, all believed to be state-backed groups, revealing how they are implementing AI tools in their tactics, techniques, and procedures (TTPs).
Forest Blizzard, also known as Strontium, was listed as a highly effective threat actor with links to a specific unit of the Russian military intelligence agency the GRU.
The group was recorded targeting a variety of sectors including defense, transportation/logistics, government, energy, non-governmental organizations (NGOs), and information technology.
Microsoft noted the group is particularly active targeting organizations linked to Russia's war in Ukraine, and characterized the group’s forays into AI-assisted attacks as consisting of LLM-informed reconnaissance and LLM-enhanced scripting techniques.
LLM-informed reconnaissance comprises using generative AI to understand satellite communication protocols and radar imaging tools, the companies said, enabling them to gain valuable insights on potential targets.
LLM-enhanced scripting techniques, on the other hand, refer to using AI models to generate code snippets that can be used to perform functions during an attack.
A Russian-linked group is thought to have been responsible for a recent attack that compromised a database storing recordings of court proceedings from Australia’s Victoria state court system.
Microsoft: North Korea and China continue attacks on US critical infrastructure
North Korean hacking collective Emerald Sleet, also known as Thallium, were highly active throughout 2023, according to the report, with the group’s recent operations using AI-enhanced spear-phishing emails to compromise and gather intel on prominent North Korea specialists.
Micorosft’s threat analysts also recorded the group’s activities overlap with those of other hacking groups tracked by researchers as Kimsuky and Velvet Chollima.
At the end of 2023, North Korea was described as a growing cyber security threat by Cyjax CISO Ian Thornoton-Trump, who cited the nation’s ‘belligerent relationship’ with neighbors South Korea and Japan, as well as the US, as driving the attacks coming out of the region.
Crimson Sandstorm, also known as Curium, is an Iranian threat actor believed to be linked to the Islamic Revolutionary Guard Corps (IRGC), and has been active since at least 2017 targeting defense, maritime shipping, transportation, healthcare, and technology systems.
Microsoft observed the group’s attacks often rely on watering hole attacks, and other social engineering techniques to deliver its proprietary .NET malware.
The group’s use of LLMs reflects the broader behaviors being used by cyber criminals according to analysts at Microsoft, and overlaps with threat actors tracked in other research such as Tortoiseshell, Imperial Kitten, and Yellow Liderc.
As well as using LLMs to enhance their phishing emails and scripting techniques, Crimson Sandstorm was observed using LLMs to assist in producing code to disable antivirus systems and delete files in a directory after exiting an application, all with the aim of evading anomaly detection.
RELATED WHITEPAPER
Microsoft’s threat intelligence team recorded two Chinese state-affiliated groups beginning to use AI technologies to target different regions.
Charcoal Typhoon, also known as Chromium, was identified in the report as targeting sectors including government, higher education, communications, infrastructure, oil & gas, and information technology, with a focus on organizations in Taiwan, Thailand, Mongolia, Malaysia, France, and Nepal.
Salmon Typhoon, also known as Sodium, has a history of launching attacks against the US defense sector including contractors, government agencies, and organizations active in the cryptographic and technology sectors.
The report noted Salmon Typhoon's use of LLMs in 2024 appeared to be limited to research, indicating the group is still exploring the efficacy of LLMs in retrieving sensitive information and scoping out potential targets.
Microsoft’s report follows a warning from the intelligence alliance Five Eyes, which revealed state-backed groups are increasingly employing ‘living off the land’ techniques to maintain access to critical infrastructure systems.
The US’s National Security Agency (NSA), FBI, and Cyber security and Infrastructure Agency (CISA), also recently released details about the methods used by Chinese threat actor Volt Typhoon to compromise the networks of a number of critical national infrastructure organizations.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
OpenAI announces five-fold increase in bug bounty rewardNews OpenAI has announced a slew of new cybersecurity initiatives, including a 500% increase to the maximum award for its bug bounty program.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
