Microsoft and OpenAI jointly disclosed that five nation-state APT groups from Russia, China, Iran, and North Korea had been actively using large language models for offensive cyber operations — from scripting and phishing content to satellite protocol research and CVE analysis — before OpenAI shut down all their accounts.
Stories Covered
Russia, China, Iran, and North Korea APTs Caught Using OpenAI for Cyber Operations
A joint blog post from Microsoft and OpenAI documented five major threat actor clusters — all aligned with nation-state sponsors — using OpenAI’s large language models to enhance offensive cyber operations. After identifying the accounts, OpenAI terminated all of them. The disclosure is notable not because the techniques involved were novel, but because it confirms that nation-state actors are integrating commercial AI into their existing workflows the same way legitimate organizations are: as a productivity accelerator. Microsoft explicitly noted that none of the observed LLM abuse had produced particularly novel or unique attack techniques — these actors were not using AI to discover new attack categories, but to do existing work faster and at better scale.
Forest Blizzard, the GRU-affiliated Russian military unit also known as Fancy Bear and linked to hacks of the Democratic National Committee and Ukrainian military targets, was using LLMs for basic scripting tasks, file manipulation, data selection, and multi-processing, as well as intelligence gathering on satellite communication protocols and radar imaging technologies — capabilities directly relevant to the ongoing war in Ukraine. Two Chinese APT groups were also identified. Charcoal Typhoon (also tracked as APT40 and Aquatic Panda) used LLMs for both pre-compromise and post-compromise tasks: gathering information about specific technologies and vulnerabilities, generating and refining scripts, producing social engineering content in multiple translated languages, and querying for guidance on achieving deeper system access after initial compromise. Salmon Typhoon used OpenAI primarily as an intelligence tool — sourcing publicly available information on high-profile individuals, intelligence agencies, and geopolitical matters — while also attempting, largely without success, to get help writing malicious code and researching stealth tactics. OpenAI’s content policies have progressively restricted responses to requests for explicit malware assistance, so Salmon Typhoon’s attempts to use it that way hit those guardrails repeatedly.
Iran’s Crimson Sandstorm (also known as Imperial Kitten and Tortoiseshell) was using LLMs to develop phishing email content — drafting messages impersonating an international development agency and a feminist advocacy group — as well as generating code for web scraping and task automation, and using ChatGPT as a translation tool to craft convincing lure content in multiple languages. North Korea’s Emerald Sleet (also tracked as Kimsuky) was using LLMs for basic scripting, phishing content generation, and researching publicly available information about CVEs, nuclear weapons experts, think tanks, and government organizations working on defense and nonproliferation. Like the others, Emerald Sleet was using AI as a faster, more interactive search engine for targeting research rather than as a code generation engine for novel attack tooling.
The pattern across all five groups is consistent: LLMs being used as productivity tools that accelerate existing tradecraft rather than enabling entirely new attack categories. An experienced threat actor who would spend three days researching satellite communication protocols can now do it in hours. A group that would take weeks to translate phishing lures across five languages can do it in an afternoon. A developer translating malware from C++ to Golang — a language with historically lower antivirus detection rates because fewer samples exist — can use an LLM to accelerate that translation without needing deep expertise in the target language. None of this is science fiction; all of it represents meaningful operational improvement for groups that already have the underlying capability. The more plausible near-term concern is malware that incorporates on-device AI processing — leveraging the tensor processing units and dedicated AI cores now shipping in consumer hardware from Apple, Google, and others — to enable adaptive behavior that evades signature detection. That capability does not exist in deployed malware today, but the hardware prerequisites are proliferating rapidly.
Leave a Reply