Washington, Feb 15 (Representative) Microsoft said on Wednesday that hacker groups allegedly linked to Russia, China, Iran and North Korea are exploiting its OpenAI tools to enhance their cyberoperations. All four countries deny involvement in cyber attacks. “In collaboration with OpenAI, we are sharing threat intelligence showing detected state-affiliated adversaries—tracked as Forest Blizzard, Emerald Sleet, Crimson Sandstorm, Charcoal Typhoon, and Salmon Typhoon— using LLMs [large language models] to augment cyberoperations,” Microsoft said in a report. The company alleged that Forest Blizzard is a “highly effective Russian military intelligence actor” linked to the Main Directorate of the General Staff of the Armed Forces. “Its activities span a variety of sectors including defense, transportation/logistics, government, energy, NGOs, and information technology,” the report stated. North Korea’s Emerald Sleet allegedly uses Artificial Intelligence in getting expert opinions on North Korea. Content generation is likely to be used in phishing campaigns, the report said. Crimson Sandstorm is an “Iranian threat actor” purportedly connected to the Islamic Revolutionary Guard Corps, according to Microsoft.
“The use of LLMs has involved requests for support around social engineering, assistance in troubleshooting errors, .NET development, and ways in which an attacker might evade detection when on a compromised machine,” the report said. The company also identified two Chinese groups of concern. Charcoal Typhoon, according to Microsoft, mostly focuses on tracking groups and individuals in Taiwan, Thailand, Mongolia, France, Nepal and globally who oppose Beijing’s policies. Another group, Salmon Typhoon, has been assessing the effectiveness of using LLMs throughout 2023 to source information on potentially sensitive topics, the report said. “Our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely,” the report stated. Microsoft reassured clients that the company has taken measures to disrupt assets and accounts associated with the alleged threat actors and shape the guardrails and safety mechanisms around its models.