Full Report
Google on Thursday said it observed the North Korea-linked threat actor known as UNC2970 using its generative artificial intelligence (AI) model Gemini to conduct reconnaissance on its targets, as various hacking groups continue to weaponize the tool for accelerating various phases of the cyber attack life cycle, enabling information operations, and even conducting model extraction attacks. "The
Analysis Summary
# Threat Actor: UNC2970
## Attribution & Identity
- **Attribution:** North Korea-linked threat actor.
- **Known Aliases/Associated Groups:** Overlaps substantially with Lazarus Group, Diamond Sleet, and Hidden Cobra.
- **Motivation/Objectives:** Cyber espionage, likely state-sponsored, focused on defense targeting and preparing for initial compromise via business email compromise (BEC) techniques masked as recruitment.
## Activity Summary
Recent activity involved weaponizing Google's Gemini generative AI model specifically to accelerate reconnaissance efforts. The actor used Gemini to synthesize Open-Source Intelligence (OSINT) and profile high-value targets to support campaign planning. This activity blurs the line between professional research and malicious reconnaissance.
## Tactics, Techniques & Procedures
- **Reconnaissance/Target Profiling via AI:** Used Gemini to search for information on major cybersecurity and defense companies, and to map specific technical job roles and associated salary information.
- **Persona Crafting:** Used reconnaissance results to craft tailored phishing personas.
- **Historical Campaigns:** Best known for orchestrating **Operation Dream Job**, which targets aerospace, defense, and energy sectors under the pretext of job openings.
- **Impersonation:** Consistently focuses on impersonating corporate recruiters in campaigns.
- **AI Tool Usage:** Utilizing generative AI (Gemini) to expedite early-stage attack planning.
## Targeting
- **Sectors:** Aerospace, Defense, and Energy sectors (specifically mentioned in relation to Operation Dream Job). Cybersecurity companies are also targets of reconnaissance.
- **Geography:** Not explicitly detailed, but contextually implies targets relevant to North Korean state interests.
- **Victims:** Major cybersecurity and defense companies; individuals working in technical job roles within these sectors.
## Tools & Infrastructure
- **Malware Families Used:** Associated with malware deployed under Operation Dream Job (specific names not detailed in this excerpt).
- **AI Tools Weaponized:** Google Gemini (for reconnaissance and profiling).
- **Infrastructure:** Not detailed in the provided excerpt.
## Implications
UNC2970 is proactively integrating cutting-edge AI tools like Gemini into their espionage campaigns to increase the efficiency and tailoring of their initial access operations. Their focus on mapping technical job roles and salaries suggests highly targeted BEC or spear-phishing efforts aimed at personnel within sensitive sectors. This represents a rapid adoption of new technology by established state-sponsored threat groups.
## Mitigations
Defense recommendations are implied by the actor's TTPs:
- Enhanced scrutiny of recruitment approaches, especially those related to high-value sectors (Defense/Aerospace).
- Increased vigilance against phishing campaigns that leverage highly specific technical job role or salary information, indicating deep reconnaissance.
- Monitoring for synthetic or AI-generated reconnaissance data used to build attacker personas.