Recent findings from Google’s Threat Intelligence Group (GTIG) highlight how government-backed actors utilize Gemini to enhance existing tactics, such as phishing, scripting, surveillance, and information operations (IO).
Key takeaways:
Iran:
– Iranian APT actors are the most frequent users of AI among adversarial states.
– APT42 leveraged Gemini to create phishing content targeting defense experts and create AI-themed messages aimed at U.S. organizations.
– They investigated military vulnerabilities, satellite systems, and anti-drone technologies.
– Iranian IO teams manipulated political content, tailored SEO strategies, and aimed to boost engagement for their influence campaigns.
North Korea:
– North Korean actors integrate cybercrime, espionage, and fraud with strategic AI usage.
– They utilized Gemini to script malware, develop code that evades detection in sandboxes, and analyze Chrome extensions capable of capturing keystrokes and screenshots.
– They drafted job applications and cover letters to facilitate a scheme aimed at secretly embedding operatives in Western companies.
– Additionally, they explored topics related to South Korea’s nuclear sector, the U.S. military, and global cryptocurrency infrastructure.
China:
– Actors from the People’s Republic of China (PRC) employ AI with the precision of seasoned engineers but with distinct geopolitical motives.
– They sought Gemini’s assistance for Active Directory exploitation and domain reconnaissance on U.S. government networks.
– They aimed to reverse-engineer endpoint detection and response (EDR) tools, troubleshoot software issues, and explore workflows for malware development.
– PRC-affiliated IO actors generated AI-created content about Taiwan, U.S. politics, and sensitive topics like the “five poisons”.
Russia:
While Russian APT groups utilized Gemini less frequently—likely due to operational security reasons—their IOs remain active.
– They rewrote public malware, added encryption to their code, and researched LLMs for content creation and chatbot development.
– Russian actors likely used LLMs to generate articles that align with Kremlin narratives targeting the West.
What does all this indicate?
As we saw during our Tabletop exercise at UC Berkeley, AI is not a game-changer in terms of introducing new types of attacks.
However, it is undeniably a force multiplier: faster iteration of malware, more convincing phishing schemes, scalable propaganda efforts, and easier reconnaissance and evasion techniques.
The next chapter in cyber conflict will be shaped not just by code and exploits but also by AI-fueled campaigns of influence and intrusion.
I will be exploring these themes at a panel during RSA Conference next week.
Let’s continue pushing the conversation forward.
#AI #Geopolitics #CyberConflict #Iran #China
