Cybercriminals have been quick to see nefarious possibilities in search engine giant Google’s new Gemini 2.0 AI assistant. According to Google’s own findings, nation-state-backed threat actors are already leveraging Gemini to accelerate their criminal campaigns.
The actors are using Gemini 2.0 for “researching potential infrastructure and free hosting providers, reconnaissance on target organizations, research into vulnerabilities, payload development, and assistance with malicious scripting and evasion techniques,” says Google.
So far, Iranian threat actors have been the heaviest users of Gemini, employing it for a wide range of purposes. Over 10 Iran-backed groups have been observed using Gemini, researching methods for extracting data from Android devices, including SMS messages, accounts, contacts, and social media accounts. Over 30 percent of Iranian threat actors’ Gemini use was linked to the cybercriminal group, APT42. APT42 uses Gemini to focus on crafting successful phishing campaigns. Google observed the group using Gemini to conduct reconnaissance into individual policy and defense experts, as well as organizations of interest for the group.
Chinese and Russian threat groups also use Gemini
Google also observes Chinese and Russian threat actors using Gemini primarily for general research and content creation. Over 20 Chinese cybercriminal groups are known to use Gemini for research into US military and US-based IT organizations. Four Russia-linked cybercriminal groups were also seen to be using Gemini for functions ranging from translating technical and business terminology into Russian to carrying out detailed research into Russia’s war with Ukraine.
“Generative AI allows threat actors to move faster and at higher volume. For skilled actors, generative AI tools provide a helpful framework…For less skilled actors, they also provide a learning and productivity tool,” says Google.
Nine North Korean threat actors are also using Gemini to draft cover letters and research jobs potentially enabling North Korea to place clandestine IT workers at Western companies. One North Korea-backed group utilized Gemini to draft cover letters and proposals for job descriptions, researched average salaries for specific jobs, and asked about jobs on LinkedIn. The group also used Gemini for information about overseas employee exchanges.
According to Google: “The usage is likely related to North Korea’s ongoing efforts to place clandestine workers in freelance gigs or full-time jobs at Western firms. The scheme, which involves thousands of North Korean workers and has affected hundreds of US-based companies, uses IT workers with false identities to complete freelance work and send wages back to the North Korean regime.”
