Cookies Policy

We use strictly necessary cookies whilst you are here. These are to enable the website to work and cannot be disabled. To read more about what this means, please see our Privacy Policy.

Large Language Models (LLMs) in the Arsenal of Sophisticated Adversaries

Thread (Free) allows users to upload articles covering cyber threat actors. Thread then extracts the text on that page and - using machine learning - maps the tactics, techniques and procedures (TTPs) in the text to MITRE ATT&CK®.

Introduction

Insights
reveal
threat
actors'
evolution,
not
revolution.
Adaptation
is
key
for
defence.

In the dynamic landscape of cybersecurity, the emergence of Large Language Models (LLMs) has elicited both anticipation and concern.

While some predict that LLMs will unleash a deluge of new malware, others believe these tools hold the key to solving all security challenges. However, amidst the hype, it is crucial to ground our understanding in tangible evidence.

Recent insights from Microsoft and OpenAI offer a sobering perspective, revealing that sophisticated adversaries are leveraging LLMs not to revolutionise their tactics, but to refine and augment their existing methods. Rather than heralding a seismic shift in attacker behaviour, the utilisation of LLMs by threat actors largely serves to enhance their operational effectiveness while also offering valuable insights for threat intelligence.

The Real Use Cases of LLMs

According to Microsoft various threat actors, including APT28 (Fancy Bear, Sofacy, Strontium, Grizzly Steppe, Sednit, SIG40, Group 74, PawnStorm, Snakemackerel, TG-4127, Tsar Team, Blue Athena, IRON TWILIGHT, Swallowtail, Threat Group-4127, Forest Blizzard, FROZENLAKE), APT37 (Thallium, Reaper, ScarCruft, InkySquid, Velvet Chollima, Konni Group, Black Banshee, Group 123, RICOCHET CHOLLIMA, NICKEL FOXCROFT, NICKEL KIMBALL, SharpTongue, RedEyes, Emerald Sleet), TortoiseShell (Houseblend, CURIUM, TA456, Crimson Sandstorm), Charcoal Typhoon (ControlX, CHROMIUM, BRONZE UNIVERSITY, RedHotel), and APT4 (Maverick Panda, Sykipot Group, Wisp, BRONZE EDISON, TG-0623, Salmon Typhoon), are actively exploring the capabilities of LLMs to bolster their cyber operations. These adversaries employ LLMs as productivity tools, utilising them for tasks such as:

LLM-informed reconnaissance: Interacting with LLMs to gain insights into subjects such as satellite communication protocols, radar technologies, and specific technical parameters, enhancing their understanding of potential targets.
LLM-assisted vulnerability research: Leveraging LLMs to identify and exploit publicly reported vulnerabilities, strengthening their offensive capabilities.
LLM-supported social engineering: Utilising LLMs to craft persuasive content for spear-phishing campaigns, targeting individuals with regional expertise or specific ideological affiliations.
LLM-enhanced scripting techniques: Integrating LLMs into scripting tasks to streamline operations, automate tasks, and optimise technical processes.
LLM-refined operational command techniques: Utilising LLMs for advanced command execution, enabling deeper system access and control post-compromise.

These insights underscore that while LLMs offer novel capabilities, their current usage by threat actors largely aligns with traditional tactics, albeit with greater efficiency and sophistication.

The Status Quo, but Better

Contrary to the notion of LLMs heralding a new era of cyber threats, their integration into the arsenals of sophisticated adversaries represents an evolution rather than a revolution. Threat actors are not fundamentally altering their strategies but rather leveraging LLMs to refine and amplify their existing methods. This highlights the importance for defenders to adapt their security measures accordingly.

For blue teamers, understanding how threat actors utilise LLMs provides valuable insights into potential attack vectors and vulnerabilities. Red teamers, meanwhile, can draw inspiration from these adversaries to refine their own offensive techniques and enhance their simulation exercises.

LLMs as a Source of Threat Intelligence

Furthermore, the specific ways in which threat actors utilise LLMs offer valuable intelligence for defenders. Looking at the Microsoft report:

APT28 has been using LLMs to study satellite and radar technologies. In December 2022 it was reported that APT28 was hacking satellite communications providers. This interest has clearly persisted since 2022 and should be noted by defenders that look after satellite communications providers.
APT37’s use of LLMs involved research into think tanks and experts on North Korea, and to understand CVE-2022–30190 (Follina). Think tanks and experts on North Korea should be aware that APT37 is in their threat model, and that they use unpatched vulnerabilities for remote code execution.
TortoiseShell and Charcoal Typhoon are both looking to improve their social engineering. Defenders that know these groups are in their threat model should be prepared for social engineering.
TortoiseShell was also seen trying to lure a prominent feminist to an attacker-built website, so people advocating for women’s rights, likely within Iran, should note that TortoiseShell is in their threat model.
APT4 has been using LLMs to research U.S. and internal Chinese affairs, so this hints at possible targets.

Conclusion

While the integration of LLMs into the arsenal of sophisticated adversaries presents new challenges for defenders, it also offers opportunities for the security community to learn from and adapt to these adversaries. Ultimately, while LLMs may not herald a paradigm shift in cybersecurity, they undoubtedly represent a significant evolution in the tactics and capabilities of threat actors.

Benefits

Why
select
Arachne?

Do you want to maximise your security within your budget? Arachne Digital is the logical choice.

Our platform searches the internet for information on threat actors, gathers reports, and categorises the findings by region, industry, and threat actor. Our process automatically maps TTPs to MITRE ATT&CK®, slashing research time and saving you money.

Threat Mitigation Experts

Connect with a way to see and neutralise potential attacks before they impact your organisation. Arachne Digital empowers organisations to anticipate and avoid cyber threats by delivering actionable intelligence.

Optimised Security Posture

By integrating the precise threat intelligence provided by our reports, you can evolve, prioritise and implement effective and continually updated security controls relevant to your organisation.

Streamlined Compliance

Comprehensive, insightful threat intelligence reports support audit preparations. Demonstrate a proactive approach to cybersecurity and achieve and maintain compliance more easily.

Testimonials
&
Partnerships

“Working with Arachne Digital has significantly enhanced our capabilities at CyberTeam. Their expertise in threat intelligence has been invaluable, particularly in the production of a comprehensive report on data loss and insider threats for a Primary Health Organisation. Arachne Digital provided critical insights into emerging trends overseas and detailed information on the information stealer market, which is a key driver of data loss.

Arachne Digital also delivered a thorough threat intelligence report for one of our government clients. This OSINT report covered trends among cyber threat actors and included links to the source code of various hacking tools such as remote access trojans, stealers, ransomware, wipers, and command and control frameworks. The detailed intelligence provided by Arachne Digital allowed us to put on an amazing demonstration for our client, enhancing their understanding of the current threat landscape.

Furthermore, Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.

Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”

Cyber Team

Partnership

We
are
partnered
with
DISARM
Foundation.

Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.

This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.

Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.

Get In Touch

Identify
threat
actors
and
access
empowering
tools
and
information
for
real-world
applications.

Empower.
Defend.
Prevail.

Social

Stay in the loop with our latest updates, exclusive offers, and content by subscribing to our newsletter.

Built by

Cookies Policy

Large Language Models (LLMs) in the Arsenal of Sophisticated Adversaries

Introduction