Full Report
Nation-state threat actors are using generative AI tools to refine their attack techniques, but they aren’t yet using GenAI to create new attack vectors, according to a presentation at this week’s RSAC Conference that offered insight into how hackers are using GenAI tools. “Our analysis shows that while AI is a useful tool for common tasks, we haven’t yet seen indications of adversaries developing any fundamentally new attack vectors with these models,” Sandra Joyce, VP for Google Threat Intelligence, told the RSAC 2025 Conference. “Ultimately attackers are using GenAI the way many of us are, as a productivity tool. They help to brainstorm, to refine their work, that sort of thing.” The role of AI in cybersecurity was a key topic in well over 100 sessions at the annual RSAC Conference, which became independent from security vendor RSA in 2022 and rebranded as RSAC this year. Iran, China and North Korea Threat Groups are Biggest GenAI Users Joyce said APT groups from more than 20 countries accessed Google’s public Gemini GenAI services. Iranian threat actors were the heaviest users, and Google also saw “notable activity” from China and North Korea-linked threat actors. Guardrails and security measures restricted adversarial capabilities, Joyce said, and more malicious requests generated safety responses from Gemini. Threat actors are using Gemini’s GenAI capabilities for four attack phases in particular, she said. Those attack phases are: Reconnaissance Vulnerability research Malicious scripting Evasion techniques “These are existing attack phases being made more efficient, not fundamentally new AI-driven attacks,” she said. Joyce didn’t say how Google was able to correlate Gemini use with specific threat groups, but she gave several examples of how nation-state threat actors are using GenAI tools. Iranian advanced persistent threat (APT) groups used Gemini to research “specific defense systems,” seeking information on topics such as unmanned aerial vehicles, jamming F-35 fighter jets, anti-drone systems, and Israel’s missile defense systems. North Korean APT actors researched nuclear technology and power plants in South Korea, including location and information on the security status of specific plants. Threat actors are also using GenAI for help with malware development. A North Korean APT group used Gemini for assistance developing code for sandbox evasion and to detect VM environments. Threat groups are also using GenAI to develop phishing lures and campaigns, including seeking help with translation and localization, such as requests for “fluent specific colloquial English,” Joyce said. Developing personas to make phishing campaigns more convincing is another APT use. GenAI Helps Cybersecurity Defenders Too Joyce said a number of effective security use cases are also making GenAI useful to security teams. She cited vulnerability detection, incident workflows, malware analysis and fuzzing as some defensive GenAI use cases. Also at the conference, Jeetu Patel, Cisco Executive Vice President and Chief Product Officer, unveiled the Foundation AI security model, an open source alerting and workflow Large Language Model (LLM) that was purpose-built for security. The Foundation AI base model is currently available on Hugging Face, and a multi-step reasoning model will be released soon, Patel said.
Analysis Summary
# Threat Actor: Iranian Advanced Persistent Threat (APT) Groups
## Attribution & Identity
Attribution is made to various **Iranian APT groups**. The article mentions their use of Generative AI (GenAI) tools like Gemini.
## Activity Summary
Iranian APT groups utilized GenAI (specifically Gemini) to enhance their reconnaissance efforts. They researched specific defense systems, focusing on topics such as:
* Unmanned aerial vehicles (UAVs)
* Jamming F-35 fighter jets
* Anti-drone systems
* Israel’s missile defense systems
## Tactics, Techniques & Procedures
- Research/Intelligence Gathering using GenAI to find specific, tactical defensive information.
- Malware development assistance (though the primary example for this is North Korean, Iranian groups are generally active in this sphere).
- Phishing lure development (general APT activity noted).
## Targeting
- Sectors: Defense/Military Technology (implied by research topics).
- Geography: Information pertaining to systems in **Israel** was researched.
- Victims: Specific victims not named, but the focus is on **defense systems and military hardware.**
## Tools & Infrastructure
- **GenAI Tools Used:** Gemini (Google's LLM) for research.
- Malware families used: Not explicitly detailed in the context of Iranian groups' GenAI usage, though malware development assistance is mentioned generally.
- Infrastructure: Not detailed.
## Implications
Iranian APTs are actively integrating cutting-edge technologies like GenAI into their intelligence gathering phases to obtain highly specific, technical information about adversary defense capabilities. This signals a maturing threat landscape where even state-sponsored groups leverage commercial AI tools to refine espionage operations against critical defense technologies.
## Mitigations
- Enhance intelligence gathering monitoring specifically focused on adversarial research intersecting with defense topics (UAVs, anti-drone tech, fighter jet countermeasures).
- Scrutinize research patterns for indicators of AI-assisted reconnaissance targeting proprietary or sensitive defense specifications.
***
# Threat Actor: North Korean APT Actors
## Attribution & Identity
Attribution is made to **North Korean APT actors**. They are reported using GenAI tools (Gemini) for both offensive and research purposes.
## Activity Summary
These actors used GenAI for two primary purposes:
1. **Espionage Research:** Researching nuclear technology and the security status of **specific power plants in South Korea**.
2. **Malware Development:** Using GenAI tools to assist in developing code specifically designed for **sandbox evasion and detecting Virtual Machine (VM) environments**.
## Tactics, Techniques & Procedures
- Research/Intelligence Gathering using GenAI on critical national infrastructure (nuclear power plants).
- Malware development assistance using GenAI for coding specialized evasion techniques.
- Specific TTPs researched: Sandbox Evasion, VM Detection.
- Phishing lure development assistance (general APT activity noted).
## Targeting
- Sectors: Energy/Critical Infrastructure (Nuclear Power Plants).
- Geography: **South Korea**.
- Victims: Specific power plants (though not named).
## Tools & Infrastructure
- **GenAI Tools Used:** Gemini.
- **Malware Techniques Aided by AI:** Sandbox Evasion, VM Detection capabilities.
- Infrastructure: Not detailed.
## Implications
North Korean APTs are demonstrating a clear focus on weaponizing GenAI for developing sophisticated, evasive malware. Assistance in creating code for obfuscation and environment detection suggests an effort to bypass modern security analysis environments. Their specific targeting of power plant security in South Korea remains a high-priority espionage vector.
## Mitigations
- Increase scrutiny and dedicated monitoring of network traffic and system behavior for signs of advanced VM/sandbox evasion techniques in malware samples.
- Implement robust endpoint detection and response (EDR) solutions capable of detecting behavioral anomalies indicative of VM detection checks.
***
# Threat Actor: General Threat Groups (APT/Cybercriminal Syndicates)
## Attribution & Identity
This section refers to **General Threat Groups** (encompassing both APTs and cybercriminal groups) leveraging GenAI broadly.
## Activity Summary
These groups are widely using GenAI tools (like Gemini) to refine and scale their offensive operations, primarily in social engineering and phishing.
## Tactics, Techniques & Procedures
- **Phishing Refinement:** Using GenAI to create more convincing phishing lures and campaigns.
- **Localization:** Seeking assistance with translation and achieving “fluent specific colloquial English.”
- **Persona Development:** Using GenAI to develop detailed personas to make social engineering efforts more convincing.
- **General Malware Development:** Use of GenAI for code assistance in developing malware.
## Targeting
- Sectors: Broad (implied, as phishing is a universal attack vector).
- Geography: Global (due to localization/translation requests).
- Victims: Undefined segment relying on social engineering.
## Tools & Infrastructure
- **GenAI Tools Used:** Gemini.
- Infrastructure: Not detailed.
## Implications
The democratization of advanced social engineering tactics via GenAI poses a risk to all organizations, as it lowers the barrier to entry for creating highly personalized and convincing pretexting attacks.
## Mitigations
- Implement mandatory and continuous security awareness training focused on recognizing newly sophisticated, well-localized phishing attempts.
- Enhance email and communication filtering to look for subtle linguistic inconsistencies or overly tailored language that might indicate GenAI assistance.