State-Sponsored Hackers Employ ChatGPT in Cybercrime Schemes, Microsoft Reports

Advanced Persistent Threat (APT) groups have been adopting and leveraging Artificial Intelligence (AI) to enhance their productivity and evade security measures employed by defenders.

With the help of their security cooperation, Microsoft and OpenAI are prepared to respond to established and new threats. Among the almost 300 distinct threat actors monitored by Microsoft Threat Intelligence are 50 ransomware gangs and 160 nation-state actors.


Cybercrime organizations, nation-state actors, and adversaries evaluate new AI technologies to determine their usefulness in attack methods.

OpenAI has recently taken action to shut down a number of accounts that were being used to generate phishing emails and malware.

These accounts were utilizing OpenAI’s natural language processing technology to create convincing and sophisticated fraudulent messages with the aim of stealing valuable information or infecting systems with malicious software.

While OpenAI’s technology is powerful and valuable, it can also be misused in harmful ways, and the organization remains committed to preventing such misuse whenever possible.

Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

Language model support capabilities offered by LLMs are highly appealing to threat actors focusing on social engineering and other deceptive communication methods.

However, as per the OpenAI study, significant attacks using LLMs have yet to be reported. Nonetheless, this research is critical to identify early-stage movements by well-known threat actors and discuss how to block and fight them with the defensive community.

Keeping track of APT groups and their tactics, techniques, and procedures is crucial for cybersecurity experts.

Details of Some of the Notorious APT Groups and Their Targets:

  • Salmon Typhoon (SODIUM), a Chinese state-affiliated APT group, targets US defense contractors, government institutions, and cryptographic technology companies. They use malware like Win32/Wkysol to access vulnerable systems remotely.
  • Charcoal Typhoon (CHROMIUM), another Chinese state-affiliated APT group, targets government, higher education, communications infrastructure, oil & gas, and IT, with their primary focus being Taiwan, Thailand, Mongolia, Malaysia, France, and Nepal. However, they are also interested in worldwide anti-China groups.
  • Crimson Sandstorm (CURIUM), an Iranian APT group linked to the Islamic Revolutionary Guard Corps, has been active since 2017 and targets defense, maritime shipping, transportation, healthcare, and technology. They regularly spread custom .NET malware using watering hole attacks and social engineering.
  • Emerald Sleet (THALLIUM), a North Korean APT group, utilizes spear-phishing emails to compromise and obtain intelligence from top North Korean experts. They have been known to impersonate legitimate academic institutions and NGOs to con victims into providing expert opinions on North Korea’s foreign policy.
  • Forest Blizzard (STRONTIUM), a Russian military intelligence APT group related to GRU Unit 26165, targets tactical and strategic organizations in defense, transportation/logistics, government, energy, NGOs, and IT. They have been known to target Russia’s war in Ukraine-related organizations, and Microsoft believes their operations support Russia’s foreign policy and military goals in Ukraine and abroad.

Threat actors have been keeping up with technological advances alongside defenders for years. Like defenders, threat actors are also exploring AI, including LLMs, to boost productivity and use available platforms to further their goals and attack methods.

Finally, different types of threat actors will keep studying and improving AI technologies. Microsoft will keep an eye out for bad actors and their LLM-related activities, and the company will collaborate with OpenAI and other allies to exchange information, strengthen customer security, and help the security community as a whole.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.