Over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia have been observed using artificial intelligence (AI) technology powered by Google to further enable their malicious cyber and information operations.
“Threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities,” Google Threat Intelligence Group (GTIG) said in a new report. “At present, they primarily use AI for research, troubleshooting code, and creating and localizing content.”
Government-backed attackers, otherwise known as Advanced Persistent Threat (APT) groups, have sought to use its tools to bolster multiple phases of the attack cycle, including coding and scripting tasks, payload development, gathering information about potential targets, researching publicly known vulnerabilities, and enabling post-compromise activities, such as defense evasion.
Describing Iranian APT actors as the “heaviest users of Gemini,” GTIG said the hacking crew known as APT42, which accounted for more than 30% of Gemini use by hackers from the country, leveraged its tools for crafting phishing campaigns, conducting reconnaissance on defense experts and organizations, and generating content with cybersecurity themes.
APT42, which overlaps with clusters tracked as Charming Kitten and Mint Sandstorm, has a history of orchestrating enhanced social engineering schemes to infiltrate target networks and cloud environments. Last May, Mandiant revealed the threat actor’s targeting of Western and Middle Eastern NGOs, media organizations, academia, legal services and activists by posing as journalists and event organizers.
The adversarial collective has also been found to research military and weapons systems, study strategic trends in China’s defense industry, and gain a better understanding of U.S.-made aerospace systems.
Chinese APT groups were found searching Gemini for ways to conduct reconnaissance, troubleshoot code, and methods to burrow deep into victim networks through techniques like lateral movement, privilege escalation, data exfiltration, and detection evasion.
While Russian APT actors limited their use to Gemini to convert publicly available malware into another coding language and adding encryption layers to existing code, North Korean actors employed Google’s AI service to research infrastructure and hosting providers.
“Of note, North Korean actors also used Gemini to draft cover letters and research jobs—activities that would likely support North Korea’s efforts to place clandestine IT workers at Western companies,” GTIG noted.
“One North Korea-backed group utilized Gemini to draft cover letters and proposals for job descriptions, researched average salaries for specific jobs, and asked about jobs on LinkedIn. The group also used Gemini for information about overseas employee exchanges. Many of the topics would be common for anyone researching and applying for jobs.”
The tech giant further noted that it has seen underground forum posts advertising nefarious versions of large language models (LLMs) that are capable of generating responses sans any safety or ethical constraints.
Examples of such tools include WormGPT, WolfGPT, EscapeGPT, FraudGPT, and GhostGPT, which are explicitly designed to craft personalized phishing emails, generate templates for business email compromise (BEC) attacks, and design fraudulent websites.
Attempts to misuse Gemini have also revolved around research into topical events, and content creation, translation, and localization as part of influence operations mounted by Iran, China, and Russia. In all, APT groups from more than 20 countries used Gemini.
Google, which said it’s “actively deploying defenses” to counter prompt injection attacks, has further emphasized the need for heightened public-private collaboration to raise cyber defenses and disrupt threats, stating “American industry and government need to work together to support our national and economic security.”
