The Google Threat Intelligence Group (GTIG) HAS Published New Information Revealing How Threat Actor, Amn Them Nation State-Backed Advanced Persisted Threat (APT) Operations Working on Behalf of the Governments of China, Iran, North Korea and Russia, Use Its gemini artificial intelligence (ai) tool,
Google said that government actors from at least 20 countries had used gemini, with the highest volume of use originating from China and Iran-Based Groups.
These actors attempted to use gemini to support multiple phase of their attack chains, from procuring infrastructure and so-caalled bulletproof hosting services, reconnoaters, reconnoaters Velopment payloads, and assisting with malicious scripting and post-commMise Evasion Techniques.
The Iranians, who appear to be the heaviest “users” of gemini, tend to use it for research on definition organizations, vulnerabilities and creating content for Phishing Campaigns, ofteen Cybeer Security Security Themes. Their targets are perennally linked to Iran's middle Eastern Neighbors and Us and Israeli Interests in the region.
Chinese Apts, on the other hand, favor for reconstruction, scripting and development, code Troubleshooting, and Researching Topics Such as Lateral Movement, Privilege Section, and Data Exfiltration and Data Exfiltlation P) Theft.
China's targets are generally the usual, government it provides and the intelligence community.
North korean and russian groups are more limited in their use of gemini, with the north koreans tending to stick to topics of interest to the regime, include of Cryptocurrence Assets, and Ins Support of Inncy in hich pyongyang has been placing clandestine 'fake' it contractors at target organisations.
Coding Tasks
Russian use of the tool is currently limited, and mainly focuses on coding tasks, including adding adding encryption functions – Possibly evidence of the abiding links Between the Russian State and Financially Motivated Ransomware Gangs.
“Our Findings, Which are consistent with that of our industry peers, reveal that while ai can be a useful tool for threat actor, it is not yet the game-changer it is the gamtimaes. .
While we do do not threat actors using generative ai to perform common tasks like Troubleshooting, Research and Content Generation, We do not see indications of them development novel capability.
“For skilled actors, generative ai tools provide a helpful framework, Similar to the use of Metasploit or cobalt strike In Cyber Threat Activity. For less skilled actors, they also provide a learning and productivity tool, enabling them to more Quickly Develops and Incorprate Existing Techniques.
“However, Current llms on their own are unlikely to enable breakthrough capabilites for threat actors. We note that AI landscape is in constant flux, with new ai models and agentic systems emerging daily. As this evolution unfolds, gtig anticipates the threat landscape to evolve in stride as threat actors adopt new ai ai technologies in their operations. “
GTIG SAID It Had, However, Observed A “Handful” of Cases in which Threat Actor Conducted Low-Effort Experimentation Using Publicly Known Jailbreak Prompts to Try to Try to Hop Gemini ' Ample, Asking for Basic Instructions on How to Create Malwres .
In one instance, an apt actor was observed copying publicly prompts into gemini and appending them with basic instruments on how to encoded text from a file, and write it to an executable. In this instance, gemini provided python code to convert base64 to hex, but its safety fallback responses kicked in when the user then requested the same code as a vbscript.
The same group was also observed attempting to Request python code for use in the creation of a distributed denial of service (DDOS) Tool, a Request Gemini Declined to Assist with. The threat actor then abandoned the session.
“Some Malicious Actor Unsuccessfully Attempted to Prompt Gemini for Guidance on Abusing Google Products, Such as Advanced Phishing Techniques for Gmail, Assistance ASSTANCE CoDing ASF Ethods to bypass Google's Account Creation Verification Methods, ”said the gTIG team.
“These attempts were unsuccessful. Gemini did not produce malware or other content INTEAD, The Responses consisted of Safety-Guided Content and Generally helped, Neutral Advice about Coding and Cyber Security.
“In our Continuous work to protect google and our users, we have not seen threat actors either expand their capability or better successed in their efforts to bypass google's defense,”
The full research dossier can be downloaded from google,