The Reality of AI Misuse: Examining Threat Actor Activity with Google's Gemini

The rapid advancement of Artificial Intelligence (AI) offers unprecedented opportunities across various sectors, from scientific breakthroughs to cybersecurity enhancements. AI's potential to revolutionize digital defense, empower security professionals, and strengthen our collective security is undeniable. Large Language Models (LLMs), for example, are streamlining operations through their ability to sift through complex data, facilitate secure coding, and expedite vulnerability discovery.

However, the availability of these same AI capabilities to malicious actors has raised concerns about the potential for AI misuse. In a new report, the Google Threat Intelligence Group (GTIG) shares a comprehensive analysis of how threat actors are interacting with Google's AI-powered assistant, Gemini, providing valuable insights into the current state of AI misuse.

Bridging the Gap: From Theoretical Risks to Real-World Usage

Much of the current discussion surrounding cyber threat actors’ misuse of AI remains theoretical. While studies demonstrate the potential for malicious exploitation, they often fail to reflect the reality of how AI is currently being used in the wild. To address this gap, GTIG conducted an extensive analysis of threat actor interactions with Gemini.

This analysis leverages the expertise of GTIG, which combines decades of experience in tracking threat actors and protecting Google, its users, and its customers from government-backed attackers, targeted 0-day exploits, coordinated information operations (IO), and serious cybercrime networks.

A Collaborative Approach to Responsible AI

Google believes that a collaborative approach involving the private sector, governments, educational institutions, and other stakeholders is crucial to maximizing AI's benefits while minimizing the risks of abuse. Google is committed to developing responsible AI, guided by its AI principles, and regularly shares resources and best practices to promote responsible AI development across the industry.

The company continuously improves its AI models to make them less susceptible to misuse and applies its intelligence to enhance defenses and protect users from cyber threats. Proactive disruption of malicious activity and the sharing of findings with the security community are also key components of Google's strategy to foster a safer internet.

Key Findings: How Threat Actors Are Misusing Gemini

GTIG's report, available for download here, delves into how advanced persistent threat (APT) and coordinated information operations actors are attempting to misuse Gemini. The analysis, which involved a combination of analyst review and LLM-assisted analysis of prompts, revealed several key findings:

• Limited Use of AI-Specific Threats: GTIG observed no original or persistent attempts by threat actors to use prompt attacks or other machine learning-focused threats as outlined in the Secure AI Framework (SAIF) risk taxonomy. Instead, they relied on basic measures and publicly available jailbreak prompts in unsuccessful attempts to bypass Gemini's safety controls. Learn more about the Secure AI Framework (SAIF) risk taxonomy.
• Productivity Gains, Not Novel Capabilities: Threat actors are experimenting with Gemini to enhance their operations, achieving productivity gains in areas like research, code troubleshooting, and content creation and localization. However, they have yet to develop novel capabilities through AI.
• Support for the Attack Lifecycle: APT actors used Gemini to support various stages of the attack lifecycle, including:
  • Researching potential infrastructure and free hosting providers
  • Reconnaissance on target organizations
  • Vulnerability research
  • Payload development
  • Assistance with malicious scripting and evasion techniques
• Heavy Use by Iranian Actors: Iranian APT and IO actors were the most active users of Gemini, employing it for a wide range of purposes, including:
  • Crafting phishing campaigns
  • Conducting reconnaissance on defense experts and organizations
  • Generating content with cybersecurity themes
  • Developing personas and messaging
  • Translation and localization
  • Finding ways to increase their reach
• Safety Measures Effective: Gemini's safety and security measures effectively restricted content that would enhance adversary capabilities. While the AI provided assistance with common tasks like content creation, summarization, explaining complex concepts, and simple coding, it generally provided safety responses when assisting with more elaborate or explicitly malicious tasks .
• Unsuccessful Attempts to Abuse Google Products: Threat actors unsuccessfully attempted to use Gemini to research techniques for Gmail phishing, stealing data, coding a Chrome infostealer, and bypassing Google's account verification methods.

AI as an Accelerator, Not a Game-Changer (Yet)

The report suggests that generative AI, in its current state, primarily serves as an accelerator for threat actors, enabling them to move faster and at higher volume. For skilled actors, these tools provide a helpful framework, similar to Metasploit or Cobalt Strike. For less skilled actors, they offer a learning and productivity tool, facilitating quicker development and incorporation of existing techniques.

However, GTIG emphasizes that current LLMs are unlikely to enable breakthrough capabilities for threat actors on their own. The AI landscape is constantly evolving, and GTIG anticipates that the threat landscape will adapt in stride as new AI models and agentic systems emerge.

Understanding AI Jailbreaks

One specific area of concern is the potential for "AI jailbreaks," which are a type of Prompt Injection attack. GTIG observed a handful of cases of low-effort experimentation using publicly available jailbreak prompts in unsuccessful attempts to bypass Gemini's safety controls.

These attacks can cause an AI model to behave in unintended ways, such as outputting unsafe content or leaking sensitive information. Controls against prompt injection include input/output validation and sanitization, as well as adversarial training and testing.

Geopolitical Insights: APT Actor Activity by Country

The GTIG analysis also provided valuable insights into the activities of APT actors from different countries:

• Iran: Iranian APT actors heavily utilized Gemini for research on defense organizations, vulnerability research, and creating content for campaigns.
• China: Chinese APT actors focused on reconnaissance, scripting and development, code troubleshooting, and researching methods to gain deeper access to target networks.
• North Korea: North Korean APT actors used Gemini to support various phases of the attack lifecycle, research topics of strategic interest, draft cover letters, and research jobs—activities that could support efforts to place clandestine IT workers at Western companies, as previously discussed in Mitigating DPRK IT Worker Threat.
• Russia: Russian APT actors showed limited use of Gemini, primarily focusing on coding tasks, such as converting publicly available malware and adding encryption functions.

Staying Ahead of the Curve: The Future of AI and Cybersecurity

The GTIG's report provides a valuable snapshot of the current landscape of AI misuse by threat actors. While AI has not yet become a "game-changer" in cyberattacks, it is essential to remain vigilant and continuously adapt security measures as AI technology evolves.

By sharing these findings, Google aims to raise awareness within the security community and enable stronger protections for all, contributing to a safer and more secure digital world.