Google: Hackers Are Using Gemini AI in Their Attacks

By Riley ThompsonTechnology News

Google Reports Hackers Leveraging Gemini AI for Cyber Attacks

Analysts from the Google Threat Intelligence Group (GTIG) have reported that at least 57 “state-sponsored” hacker groups are experimenting with Gemini AI to increase the effectiveness of their campaigns. The AI is being used to study target infrastructures and conduct reconnaissance operations. Primarily, APT (Advanced Persistent Threat) groups are using Gemini to boost their productivity, rather than to develop malware or bypass traditional security measures. Google notes that Gemini activity linked to APT groups originated from over 20 countries, with the most notable groups coming from Iran and China.

Common Uses of Gemini AI by Hackers

  • Writing tools and scripts
  • Researching publicly disclosed vulnerabilities
  • Studying technologies (explanations and translations)
  • Gathering information about target organizations
  • Finding methods to evade detection, escalate privileges, or conduct internal reconnaissance within compromised networks

According to Google, APT groups from Iran, China, North Korea, and Russia have experimented with Gemini, exploring its capabilities in identifying security vulnerabilities, evading detection, and planning post-compromise actions.

Iranian Hackers: The Most Active Users

Iranian hackers were the most active users of Gemini, accounting for 75% of all observed usage cases. They used the AI for various tasks, including:

  • Searching for defense organizations and international experts
  • Researching publicly disclosed vulnerabilities
  • Developing phishing campaigns and creating content for influence operations
  • Translating and clarifying information in cybersecurity and military technologies, including drones and missile defense systems

More than 30% of Iranian APT attempts to use Gemini were attributed to the APT42 group.

Chinese Hackers: Focused on U.S. Military and Government

Chinese threat actors mainly used Gemini to gather information about U.S. military and government organizations, research vulnerabilities, write scripts for lateral movement and privilege escalation, and for post-breach activities such as evading detection and maintaining persistence in victim networks. They also explored ways to access Microsoft Exchange using password hashes and showed interest in reverse engineering security solutions like Carbon Black EDR. At least 20 hacker groups from China were reported to have used Gemini AI.

North Korean Hackers: Supporting Malicious Operations

North Korean APTs used Gemini as an auxiliary tool for finding free hosting providers, gathering information about target organizations, assisting in malware development, and devising evasion techniques. A significant portion of their activity centered around schemes where fake North Korean IT specialists seek employment at Western companies. Gemini helped these hackers craft job applications, cover letters, and employment proposals under false identities.

Russian Hackers: Minimal Interaction with Gemini

Russian hacker groups interacted with Gemini minimally, mainly using it to help write scripts, translate, and create payloads. Their activity typically focused on rewriting publicly available malware in other programming languages, adding encryption to malicious code, and studying the workings of specific parts of public malware. Researchers believe Russian hackers prefer to use domestically developed AI models and local LLMs, avoiding Western AI tools for security reasons. Only three Russian hacker groups were found to have tested Gemini AI’s capabilities.

Leave a Reply