Full Report
Meanwhile, IP-stealing 'distillation attacks' on the rise A Chinese government hacking group that has been sanctioned for targeting America's critical infrastructure used Google's AI chatbot, Gemini, to auto-analyze vulnerabilities and plan cyberattacks against US organizations, the company says.…
Analysis Summary
# Threat Actor: APT31
## Attribution & Identity
* **Identification:** Chinese government hacking group.
* **Known Aliases:** Violet Typhoon, Zirconium, Judgment Panda.
* **Associations:** Sanctioned by the US government for targeting US critical infrastructure. Seven members were criminally charged in March 2024.
## Activity Summary
APT31 was recently observed experimenting with and adopting Google's AI chatbot, Gemini, to support near-autonomous offensive operations. The most recent attempts to use Gemini occurred in late 2023. They employed a structured approach, using an expert cybersecurity persona prompt engineering to automate vulnerability analysis and develop targeted testing plans against US organizations.
## Tactics, Techniques & Procedures
* **AI-Assisted Reconnaissance & Planning:** Prompting Google Gemini with an expert cybersecurity persona to automate the analysis of vulnerabilities and generate targeted testing plans.
* **Exploit Analysis:** Used the open-source red-teaming tool Hexstrike (built on Model Context Protocol/MCP) integrated with Gemini to analyze various exploits, including:
* Remote Code Execution (RCE)
* Web Application Firewall (WAF) bypass techniques
* SQL Injection
* **Automated Intelligence Gathering:** Integrating Hexstrike with Gemini to automate intelligence gathering to identify technological vulnerabilities and organizational defense weaknesses.
* **Model Extraction ("Distillation Attacks"):** Attempting IP-stealing "distillation attacks" against Google's AI products to gain insights into the model's reasoning, potentially to replicate its technology.
## Targeting
* **Sectors:** Critical Infrastructure (mentioned in context of sanctions), general US organizations.
* **Geography:** US organizations.
* **Victims:** Numerous high-value targets whose computer networks, email accounts, and cloud storage were previously compromised. Specific current victims were not named, only "specific US-based targets" reviewed during the AI experimentation phase.
## Tools & Infrastructure
* **AI Platforms Used:** Google Gemini.
* **Custom/Associated Tools:** Hexstrike (open-source red-teaming tool built on MCP).
* **Infrastructure:** Google disabled accounts linked to the observed campaign activity.
## Implications
The actor's adoption of AI tools like Gemini and Hexstrike demonstrates a move towards "agentic approaches" for cyber offensive scale. This greatly assists in automating intelligence gathering, vulnerability analysis, and exploit development, enabling faster intrusion cycles with minimal human interference, significantly widening the existing "patch gap." The interest in distillation attacks suggests an effort to accelerate their technological capabilities further by replicating commercial/proprietary AI logic.
## Mitigations
* Defenders must leverage AI themselves to respond to security weaknesses at machine speed, removing humans from the loop for faster patching cycles.
* Security analysis should account for threat actors using AI to probe for and analyze vulnerabilities (RCE, WAF bypass, SQLi).
* Organizations must secure their proprietary AI models against model extraction/distillation attacks, as this represents valuable IP theft.