Google recently issued a warning stating that advanced persistent threat (APT) organizations supported by multiple countries are utilizing its AI assistant, Gemini, to enhance their efficiency and improve their attack capabilities. These hackers are not simply using Gemini for novel cyber attacks; rather, they are leveraging this tool to research potential attack infrastructures and conduct target reconnaissance, thereby reducing their preparation time.
The Google Threat Intelligence Group (GTIG) discovered that APT organizations from over 20 countries are actively experimenting with Gemini, with particularly notable activities from Iranian and Chinese hackers. The hackers are using Gemini to assist in developing tools and scripts, researching publicly available vulnerabilities, translating technical documents, conducting reconnaissance on target organizations, and finding methods to evade detection. It can be said that Gemini is becoming part of their "new arsenal."
Image Source Note: Image generated by AI, image authorized by service provider Midjourney
For example, Iranian hackers are utilizing Gemini for various activities, including reconnaissance of defense organizations and international experts, researching known vulnerabilities, developing phishing activities, and creating content for influence operations. Additionally, they are using Gemini to translate and explain military technologies, including areas like drones and missile defense systems.
Meanwhile, Chinese-supported hackers primarily focus on reconnaissance of U.S. military and government agencies, using Gemini for vulnerability research, script writing, and privilege escalation activities. They are also exploring ways to access Microsoft Exchange through password hashing and even reverse-engineering some security tools.
North Korean APT organizations are also actively using Gemini, covering multiple stages of the attack lifecycle, researching free hosting services, conducting target reconnaissance, and developing malware. They are also leveraging Gemini to assist North Korean IT workers in drafting job applications under false identities to obtain positions in Western companies.
In contrast, Russian hackers have been less active in using Gemini, primarily focusing on script assistance and translation. Their activities show a preference for domestically developed AI models, possibly for operational security reasons, to avoid using Western tools.
It is worth noting that although hackers have attempted to use public jailbreaks against Gemini, these attempts have been unsuccessful. This also reflects the current market's abuse of generative AI tools. As the AI market continues to expand, models lacking protective measures are increasing, presenting new challenges for cybersecurity.