AI in APT Attacks

By Shane Zuls on October 18, 2024

Executive Summary

On Friday, October 11, 2024, the creators of ChatGPT, OpenAI, announced in their October threat report that they had disrupted more than 20 cyber and covert influence operations since the beginning of the year, including the activities of Iranian and Chinese state-sponsored hackers [2]. The names of these groups included CyberAv3ngers, a threat group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), and SweetSpectre, a threat group linked to China [4]. A notable thing about the two APTs is that they both used ChatGPT for similar purposes: reconnaissance activities, vulnerability exploitation, detection evasion, and post-compromise activity [2]. CyberAv3ngers’s main use for ChatGPT was reconnaissance and research in developing Programmable Logic Controllers (PLCs) to attack Industrial Control Systems (ICSs) which could affect things from water treatment plants to energy grids [4]. Essentially, they wanted to compromise crucial local infrastructure. Things they looked up included default passwords for PLCs, information about various known companies or services, and vulnerabilities with a particular emphasis on targeting the nation of Jordan and countries in Central Europe [4]. On the other hand, SweetSpectre mainly used ChatGPT for completing scripts and answering research questions in conjunction with an unsuccessful spear phishing attack on OpenAI employees themselves [4].

 

Background

Ever since the release of OpenAI’s ChatGPT in 2022, information accessibility has been made much easier. ChatGPT gives anyone from anywhere in any language at any time, no matter their skill level or expertise, the ability to access high-quality explanations for any question with any context. Essentially, ChatGPT can be a personal tutor for anyone for absolutely no cost. In the world of information security where the learning curve for experts is steep and information may be obfuscated through multiple sources across the internet, ChatGPT provides an extremely convenient and cost-effective tool to improve one’s skills — no matter their intentions. In the case of CyberAv3ngers & SweetSpectre, ChatGPT gives them the ability to gain helpful feedback and improve their skills and research while being mostly anonymous in achieving their malicious goals. While it is currently unconfirmed, the likely reason behind the Iranian group’s probes may be related to the ongoing Israel-Hamas war since Jordan and Central Europe are leaning toward an Israeli solution to the conflict. On the other hand, China’s likely reason behind the spear phishing attacks on OpenAI can be because of potential industrial espionage or trade secret theft. China has in the past stolen trade secrets in the name of national development, so this wouldn’t be out of character for their APTs [1]. 

 

Impact

Since this story is ongoing, it is hard to say the impact of the specific actions taken by the APTs, yet assumptions can be made from previous similar attacks either by these APTs or their sponsoring nations. In the case of CyberAv3ngers, their previous attacks on ICSs and PLCs led to water outages in Ireland and the compromise of multiple US and Israeli water treatment facilities across the world [3][6]. For SweetSpectre, their previous attacks also involved attacking AI-related organizations either in academia or private industry and government-related services [5]. Their goals likely still remain to boost the development of Chinese AI in order to stay competitive with the West.  

 

Significance

With access to endless amounts of information and real-time updates to important events, APTs have become much more sophisticated and efficient in achieving their objectives. AI has given APTs the opportunity to not only achieve tedious tasks faster, like finding default passwords for PLCs online, but also gives them the ability to learn quicker and stay semi-anonymous while doing so. In the case of both APTs mentioned above, their actions on ChatGPT were not considered suspicious until trusted sources tipped off OpenAI to their previous attacks [4]. It can be expected that more APTs are utilizing AI to make their lives easier while also making security just a bit harder. Attacks utilizing AI are almost guaranteed to come in the future so security policies should be updated in order to reflect these concerns. 

 

References

 

[1] Center For Strategic & International Studies, “Survey of Chinese Espionage in the United States Since 2000,” 2024 https://www.csis.org/programs/strategic-technologies-program/survey-chinese-espionage-united-states-2000

 

[2] Kovacs E., “OpenAI Says Iranian Hackers Used ChatGPT to Plan ICS Attacks,” 2024 https://www.securityweek.com/openai-says-iranian-hackers-used-chatgpt-to-plan-ics-attacks/

 

[3] Martin A., “Two-day water outage in remote Irish region caused by pro-Iran hackers,” 2023 https://therecord.media/water-outage-in-ireland-county-mayo

 

[4] Nimmo B. & Flossman M., “Influence and cyber operations: an update,” 2024 https://cdn.openai.com/threat-intelligence-reports/influence-and-cyber-operations-an-update_October-2024.pdf

 

[5] ProofPoint Threat Research Team, “Security Brief: Artificial Sweetener: SugarGh0st RAT Used to Target American Artificial Intelligence Experts,” 2024 https://www.proofpoint.com/us/blog/threat-insight/security-brief-artificial-sweetener-sugargh0st-rat-used-target-american

 

[6] Stanish E., “Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group,” 2023 https://www.cbsnews.com/pittsburgh/news/municipal-water-authority-of-aliquippa-hacked-iranian-backed-cyber-group/