Nation-state threat actors using LLMs to boost cyber operations

Emerald Sleet (Thallium)

Emerald Sleet — a North Korean threat actor that relies on spear-phishing emails to compromise and gather intelligence on prominent North Koreans — has used LLMs to understand publicly known vulnerabilities, to troubleshoot technical issues, and for assistance with using various web technologies.

The report found that Emerald Sleet used LLM-assisted vulnerability research and used LLMs to better understand publicly reported vulnerabilities, such as the CVE-2022-30190 Microsoft Support Diagnostic Tool (MSDT) vulnerability. It also used LLM-enhanced scripting techniques but not with the same purpose as Forest Blizzard. It used LLMs for basic scripting tasks such as programmatically identifying certain user events on a system and seeking assistance with troubleshooting and understanding various web technologies.

Emerald Sleet used LLM-supported social engineering for assistance with the drafting and generating content that, according to the report, would likely be for use in spear-phishing campaigns against individuals with regional expertise. It also used LLM-informed reconnaissance, again with a different focus from Forest Blizzard: It used LLMs to identify think tanks, government organizations, or experts on North Korea that have a focus on defense issues or North Korea’s nuclear weapon’s program.

Crimson Sandstorm (Curium)

Crimson Sandstorm — an Iranian group assessed to be connected to the Islamic Revolutionary Guard Corps (IRGC) — has used LLMs to request support around social engineering, assistance in troubleshooting errors, .NET development, and ways in which an attacker might evade detection when on a compromised machine. Crimson Sandstorm used LLM-supported social engineering to generate phishing emails. It also used LLM-enhanced scripting techniques to generate code snippets intended to support app and web development, interactions with remote servers, web scraping, executing tasks when users sign in, and sending information from a system via email. The group also used LLM-enhanced anomaly detection evasion, an attempt to use LLMs for assistance in developing code to evade detection, to learn how to disable antivirus via registry or Windows policies, and to delete files in a directory after an application has been closed.

Charcoal Typhoon (Chromium)

Charcoal Typhoon — a Chinese state-affiliated threat actor with activities predominantly focused on entities within Taiwan, Thailand, Mongolia, Malaysia, France, and Nepal — has used LLMs to support tooling development, scripting, understand various commodity cybersecurity tools, and to generate content that could be used to social engineer targets.

More specifically, it used LLM-informed reconnaissance to research and understand specific technologies, platforms, and vulnerabilities, indicative of preliminary information-gathering stages. Charcoal Typhoon used LLM-enhanced scripting techniques to generate and refine scripts, potentially to streamline and automate complex cyber tasks and operations.