Microsoft’s threat intelligence team recently partnered with OpenAI to produce a report on threat actors using LLMs to streamline vulnerability research, targeting, and malware development. The research did not identify any significant operations that relied on LLMs, but identified threat groups from Russia, China, North Korea, and Iran that interacted with ChatGPT to assist their operations.

Microsoft researchers observed Russian APT28 (Fancy Bear/Forest Blizzard) use LLMs to support cyber operations, as well as research satellite and radar technologies relevant to the ongoing war in Ukraine. Microsoft researchers also observed North Korean Kimsuky use LLMs for technical assistance, vulnerability research, and content generation for use in spear-phishing campaigns. LLMs will likely assist threat actors in developing phishing messages and social engineering tactics that require writing in non-native languages. Microsoft and OpenAI disabled all accounts they associated with APT activity.

