China, Russia, Iran, North Korea Use OpenAI Tools for Hacking: Microsoft

OpenAI and Microsoft disabled generative AI accounts associated with five state-affiliated hacker groups.
China, Russia, Iran, North Korea Use OpenAI Tools for Hacking: Microsoft
Screens displaying the logos of Microsoft and ChatGPT, a conversational artificial intelligence application software developed by OpenAI. (Lionel Bonaventure/AFP via Getty Images)
Frank Fang

State-affiliated hackers from China, Iran, North Korea, and Russia tried to use OpenAI’s tools to improve their offensive cyber operations, according to research published by the ChatGPT developer and Microsoft on Feb. 14.

OpenAI and Microsoft disabled generative artificial intelligence (AI) accounts associated with five state-affiliated groups: Charcoal Typhoon and Salmon Typhoon from China, Forest Blizzard from Russia, Emerald Sleet from North Korea, and Crimson Sandstorm from Iran.

While the groups’ techniques were not “particularly novel or unique,” Microsoft stated in a blog post that their actions represented “emerging threats in the age of AI.” The threats included attempted misuse of large language models (LLMs) and fraud.

“Our analysis of the current use of LLM technology by threat actors revealed behaviors consistent with attackers using AI as another productivity tool on the offensive landscape,” Microsoft wrote.

“Importantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely.”

Microsoft emphasized that its research aims to “expose early-stage, incremental moves” that it observes “well-known threat actors attempting.”

“In partnership with Microsoft Threat Intelligence, we have disrupted five state-affiliated actors that sought to use AI services in support of malicious cyber activities,” OpenAI stated in a blog post.

OpenAI stated that while it won’t be able to stop every misuse of its systems by malicious actors, the company will continue to “make it harder” for such actors to “remain undetected across the digital systems.”

“The vast majority of people use our systems to help improve their daily lives, from virtual tutors for students to apps that can transcribe the world for people who are seeing impaired,” OpenAI stated.

“As is the case with many other ecosystems, there are a handful of malicious actors that require sustained attention so that everyone else can continue to enjoy the benefits.”

Bob Rotsted, who leads cybersecurity threat intelligence at OpenAI, said, “This is one of the first, if not the first, instances of an AI company coming out and discussing publicly how cybersecurity threat actors use AI technologies,” according to Reuters.

Hacker Groups

Chinese hacker group Charcoal Typhoon is known for targeting sectors such as government, oil and gas, communication infrastructure, and information technology while focusing on entities in Taiwan, Thailand, Mongolia, Malaysia, France, and Nepal, as well as “institutions and individuals globally who oppose China’s policies,” according to Microsoft.

Charcoal Typhoon interacted with LLMs “in ways that suggest a limited exploration of how LLMs can augment their technical operations,” according to Microsoft.

“Charcoal Typhoon used our services to research various companies and cybersecurity tools, debug code and generate scripts, and create content likely for use in phishing campaigns,” OpenAI stated.

The other Chinese hacking group, Salmon Typhoon, has a history of targeting U.S. defense contractors, government agencies, and entities within the cryptographic technology sector, according to Microsoft. The Redmond-based company stated that the threat actor is known for deploying malware to maintain access to compromised systems.

Microsoft revealed that Salmon Typhoon was evaluating the effectiveness of LLMs as a source of information “on potentially sensitive topics, high profile individuals, regional geopolitics, U.S. influence, and internal affairs.”

“This tentative engagement with LLMs could reflect both a broadening of their intelligence-gathering toolkit and an experimental phase in assessing the capabilities of emerging technologies,” Microsoft wrote.

OpenAI wrote that Salmon Typhoon used its services to “translate technical papers, retrieve publicly available information on multiple intelligence agencies and regional threat actors, assist with coding, and research common ways processes could be hidden on a system.”

One of the things that the Iranian group Crimson Sandstorm did was use LLMs to generate different phishing emails, with one of them “pretending to come from an international development agency,” according to Microsoft.

The North Korean hackers known as Emerald Sleet also used LLMs for different activities, including generating content “likely to be used in spear-phishing campaigns” targeting individuals, according to Microsoft.

Microsoft assessed that Russian hackers known as Forest Blizzard “play a significant supporting role to Russia’s foreign policy and military objectives both in Ukraine and in the broader international community.” One thing the group did with LLMs was to acquire in-depth knowledge of satellite capabilities.

Frank Fang is a Taiwan-based journalist. He covers U.S., China, and Taiwan news. He holds a master's degree in materials science from Tsinghua University in Taiwan.
Related Topics