Full Report
Microsoft on Thursday unmasked four of the individuals that it said were behind an Azure Abuse Enterprise scheme that involves leveraging unauthorized access to generative artificial intelligence (GenAI) services in order to produce offensive and harmful content. The campaign, called LLMjacking, has targeted various AI offerings, including Microsoft's Azure OpenAI Service. The tech giant is
Analysis Summary
# Threat Actor: Storm-2139 (Microsoft Tracking Name)
## Attribution & Identity
Microsoft's Digital Crimes Unit (DCU) unmasked several individuals associated with this cybercrime network. The named actors are:
* **Arian Yadegarnia** (aka "Fiz") - Identified as being from Iran.
* **Alan Krysiak** (aka "Drago") - Identified as being from the United Kingdom.
* **Ricky Yuen** (aka "cg-dot") - Identified as being from Hong Kong, China.
* **Phát Phùng Tấn** (aka "Asakuri") - Identified as being from Vietnam.
* Additional unnamed co-conspirators/users are located in the US (Illinois, Florida), Austria ("Sekrit"), UK ("dazz"), Turkey ("jawajawaable"), and Russia ("1phlgm").
The network structure is broadly categorized into: **Creators** (develop illicit tools), **Providers** (modify/supply tools), and **End Users** (utilize tools).
## Activity Summary
The threat actors are engaged in an **Azure Abuse Enterprise scheme** labeled **LLMjacking**.
The primary activity involves illegally accessing generative AI services, including Microsoft's Azure OpenAI Service, through exposed or stolen customer credentials, which were scraped from public sources. They modify the capabilities of these services to generate offensive and harmful content, such as non-consensual intimate images of celebrities and sexually explicit material, explicitly to bypass AI safety guardrails. Furthermore, they resell access to these compromised services to other malicious actors, providing instructions for generating illicit content. This follows prior legal action by Microsoft against the group for systematic API key theft.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting exposed customer credentials (stolen from public sources) to unlawfully access accounts with generative AI services.
- **Capability Modification:** Altering the capabilities of GenAI services (like Azure OpenAI) to bypass safety guardrails.
- **Monetization/Distribution:** Reselling access to the altered AI services to other malicious actors.
- **Content Generation:** Producing harmful and illicit synthetic content that violates usage policies.
- **API/Credential Theft:** Systematic theft of API keys from customers (mentioned in prior activity).
- **Obfuscation/Identity:** Actors utilize multiple aliases and span across several international jurisdictions.
- **Infrastructure Seizure:** Microsoft obtained a court order to seize a website believed to be crucial to their operation.
- *No specific MITRE ATT&CK IDs were provided in the source text.*
## Targeting
- **Sectors:** Organizations utilizing generative AI services hosted on platforms like Microsoft Azure OpenAI Service. Customers whose API keys or credentials were stolen are primary targets.
- **Geography:** Actors are based across Iran, UK, Hong Kong (China), Vietnam, US (Illinois, Florida), Austria, Turkey, and Russia. Victims (customers whose credentials were stolen) likely include several U.S. companies.
- **Victims:** Unnamed customers utilizing generative AI services; specifically mentioned is systemic API key theft from "several customers, including several U.S. companies."
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, but they rely on **illicit tools** developed by the "Creators" category, designed to enable AI service abuse.
- **Infrastructure (C2, domains, IPs):**
- Seized website believed to be crucial to the operation: `aitism[.]net` (defanged)
## Implications
Storm-2139 represents a significant threat in the emerging sphere of AI security (AIsec). Their scheme monetizes the abuse of cloud-based GenAI infrastructure, demonstrating financial incentives for bypassing crucial AI safety mechanisms. The operation involved systematic credential harvesting and the creation of an organized marketplace (Creators/Providers/Users) to distribute and commoditize malicious AI generation capabilities, posing a risk to both cloud providers and organizations whose customer data is used for access resale.
## Mitigations
- Strengthen credential hygiene and ensure customer credentials are not exposed on public sources.
- Implement monitoring and alerting specifically for unusual API usage patterns or modified service behaviors indicative of guardrail circumvention on GenAI instances.
- Review security policies governing the use of outsourced or resold access to generative AI services.
- Ensure robust authentication and access controls around cloud AI services (e.g., Azure OpenAI Service).