Google has disclosed that multiple state-backed hacking groups, including a North Korean threat actor, have been utilizing its Gemini AI platform to enhance reconnaissance activities and accelerate various stages of cyber attacks.
The Hacker News reports that Google’s Threat Intelligence Group revealed that the North Korea-linked hacking collective designated as UNC2970 employed the company’s Gemini generative AI model to synthesize open-source intelligence and create profiles of high-value targets as part of their campaign planning operations. According to a report shared with security researchers, this activity demonstrates an increasingly blurred line in AI between legitimate professional research and malicious reconnaissance efforts.
The threat actor utilized Gemini to gather information on major cybersecurity and defense companies while mapping specific technical job roles and salary data. This intelligence gathering enables the creation of customized phishing personas and helps identify vulnerable entry points for initial system compromise. UNC2970, which shares overlap with groups tracked as Lazarus Group, Diamond Sleet, and Hidden Cobra, has gained notoriety for conducting “Operation Dream Job,” a long-running campaign targeting aerospace, defense, and energy sectors by approaching victims with fraudulent job opportunities to deliver malware.
Google’s research indicates that UNC2970 represents just one example of multiple threat actors integrating Gemini into their operational workflows. The company documented several other hacking organizations misusing the AI platform for various malicious purposes. The unattributed group UNC6418 conducted targeted intelligence collection, specifically searching for sensitive account credentials and email addresses through the platform.
Chinese threat actors have shown particular interest in leveraging the AI tool. Temp.HEX, also known as Mustang Panda, compiled detailed dossiers on specific individuals, including targets in Pakistan, while gathering operational and structural data on separatist organizations across multiple countries. APT31, tracked as Judgement Panda, automated vulnerability analysis and generated targeted testing plans by masquerading as a security researcher. APT41 extracted explanations from open-source tool documentation and used the platform to troubleshoot and debug exploit code. UNC795 employed Gemini to troubleshoot code, conduct research, and develop web shells and scanners for PHP web servers.
A common abuse pattern involves threat actors reframing their prompts by identifying themselves as security researchers or participants in capture-the-flag exercises to manipulate the system into generating unintended responses. Steve Miller, AI threat lead at Google’s Threat Intelligence Group, stated: “Google is always working to improve our safety systems, including detection classifiers, mitigations and other safeguards to prevent misuse by threat actors. As adversaries experience friction in misusing our systems, they begin to experiment with new ways to bypass the safeguards – and though we see lots of these experiments, they are not always successful. Gemini is getting better at recognizing persona-based tricks and responding safely.”
The battle for AI supremacy between America and China is one area of focus for the upcoming book by Breitbart News Social Media Director Wynton Hall, Code Red: The Left, the Right, China, and the Race to Control AI. Code Red explains how America can beat China without becoming China, a crucial differentiation for freedom-loving Americans.
Read more at The Hacker News here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship.
COMMENTS
Please let us know if you're having issues with commenting.