Google says it’s spotted Chinese, Russian, Iranian, and North Korean government agents using its Gemini AI for nefarious purposes, with Tehran by far the most frequent naughty user out of the four.
The web giant has been tracking the use of Gemini by these nations, using not just simple things presumably like IP addresses to spot them but a combination of technical signals and behavioral patterns, we’re told.
And while these state-backed snoops have managed to use Gemini for translating and tailoring phishing lures for specific victims, looking up for information about surveillance targets, and writing some software scripts, Google admitted, the biz claims its guardrails at least stopped its AI from generating malware.
Overall, the American internet goliath reckons Iran et al aren’t doing anything too outrageous, and are mainly asking the LLM for info and guidance as it was designed for. In other words, foreign governments are using Google AI for bad things, but it’s not too bad, or so we’re told.
“While AI can be a useful tool for threat actors, it is not yet the gamechanger it is sometimes portrayed to be,” Google said in a Threat Intelligence Group (TIG) report [PDF] this week. “While we do see threat actors using generative AI to perform common tasks like troubleshooting, research, and content generation, we do not see indications of them developing novel capabilities.”
While AI can be a useful tool for threat actors, it is not yet the gamechanger it is sometimes portrayed to be
Iranian spies accounted for 75 percent of all observed Gemini use by the aforementioned quartet’s agents, the TIG report notes. The Google team identified over 10 Iran-backed cyber-crews using the AI service, with some particularly focused on researching Android-related security. More broadly, these groups used Gemini for reconnaissance, researching vulnerabilities, identifying free hosting providers, and crafting local personas and content for cyber operations. Notably, Iran’s APT42 unit leveraged Gemini to craft phishing content, making up 30 percent of all Iranian APT, or advanced threat actors, activity on the platform.
Chinese spies have also been using it for content creation and basic research, with 20 groups from the Middle Kingdom identified so far. Much of this activity focuses on researching US government institutions, while Beijing-backed snoops have also sought assistance with Microsoft-related systems and translation work, according to the report.
Google also says it has spotted North Korean operatives using its LLM to write job applications for IT workers as part of the hermit nation’s ongoing efforts to insert its workers into Western companies. Nine distinct groups of Norks also tried to find freelancer forums on Discord, and information related to South Korean military and nuclear technology, through Gemini.
Russians are relatively light users of Gemini, it seems, with only three groups observed by the team. Google speculates that this could be down to them either using domestically generated LLMs or attempting to limit exposure to avoid being monitored. Or maybe they’re just really good at hiding their usage of the LLM.
Around 40 percent of Russian activity came from operators