A new report by Google shows that the North Korean hacking collective UNC2970 is utilizing cutting-edge artificial intelligence technology. Unlike most states, they’ve especially welcomed Gemini AI to enhance their cyberattack arsenal. This group has a very successful up campaign – Operation Dream Job. It deliberately reaches across several industries, including aerospace, national defense and energy. Voices from the Frontlines report indicates that UNC2970 is shifting its strategy. From reconnaissance to actual targeting. This is a significant and distressing escalation in the level of sophistication of cyber threats.
UNC2970’s operations are strikingly similar to those of other widely known malicious hacking collectives. Some of these aliases include Lazarus Group, Diamond Sleet, and Hidden Cobra. Together, UNC2970 and Gemini AI create a powerful ordinance that has the potential to transform local policy. It has transformed from simply collecting intelligence to carrying out focused attacks with deadly accuracy.
Operation Dream Job: Targeting Key Sectors
Operation Dream Job quickly became a centerpiece of UNC2970’s activities. Importantly, it goes after high-value sectors that are essential to our national security, as well as economic competitiveness and prosperity. The peer-to-peer group has spent the last few years in a methodical process of gathering qualitative and quantitative information on large cybersecurity and defense firms. They diagram a taxonomy of technical job roles and collect compensation data. Their intent is probably to take advantage of weaknesses inside these organizations.
These people are experts enough live action this campaign shows just how much cybercriminals are leveling up their strategy with their targets. By unraveling the staffing and operational structures of these sectors, UNC2970 positions itself to be able to fire more damaging shots. The increasing sophistication of malware adds a new layer of complexity to the threat landscape.
The Role of AI in Cybersecurity Threats
The potential misuse of this AI technology goes far beyond just the scope of UNC2970. This adaptation became a staple tactic by other threat actors as well, including China’s APT31, which made this shift. For example, APT31 employed AI to automate vulnerability analysis, impersonating human security researchers to elicit responses from systems. At the same time, this approach enables them to exploit vulnerabilities more effectively and at a larger scale.
APT41 does the same with its own AI-driven strategies, pulling explanations from open-source tool documentation and debugging exploit code. APT42, an Iranian cyber espionage group, has developed tools designed for reconnaissance and targeted social engineering. These tools immensely expand their ability to execute complex cyber operations.
Farida Shafik, an expert in cybersecurity, emphasizes the risks associated with AI in this context:
“Many organizations assume that keeping model weights private is sufficient protection.” – Farida Shafik
First and foremost, she cautions that focusing only on model privacy can lead to a misleading sense of security. In her view, the behavior of AI models is equally important:
“In reality, behavior is the model. Every query-response pair is a training example for a replica. The model’s behavior is exposed through every API response.” – Farida Shafik
Defensive Measures Against Evolving Threats
Indeed, just as adversaries advance their methods and bring AI to bear on their approaches, defenders need to stay one step ahead. Steve Miller from Google underscores the importance of continuous improvements in safety systems:
“Google is always working to improve our safety systems, including detection classifiers, mitigations and other safeguards to prevent misuse by threat actors.” – Steve Miller
He points to the fact that adversaries struggle when trying to exploit complicated systems like Gemini. So, they will have to test out different approaches to circumvent the protections. This never-ending game of cat and mouse between threat actors and cybersecurity defenders requires an ever-present degree of vigilance and innovation.
He cautions that this trend is harbinger of future, more frequent AI-driven strikes. These attacks will be more rapid and higher quality than we’ve seen previously. Therefore, he advocates for defenders to invest in AI-driven defensive capabilities that can operate at machine speed:
“Everyone is looking to increase productivity with automation. Adversaries are increasingly seeing value from AI.” – Steve Miller
He warns that this trend indicates a future where the quality, speed, and volume of AI-enabled attacks will increase significantly. Therefore, he advocates for defenders to invest in AI-driven defensive capabilities that can operate at machine speed:
“Defenders need to prepare for the future and make similar investments in AI.” – Steve Miller