Hackers using ChatGPT to improve cyberattacks: Microsoft, OpenAI
Attempts have been detected from Russian, North Korean, Iranian, and Chinese-backed groups who researched into targets, improved scripts
- Tech News
- 2 min read

ChatGPT for cybercrime: Hackers have started using large language models like ChatGPT to upgrade existing cyberattacks, according to Microsoft and OpenAI.
The companies have detected attempts by Russian, North Korean, Iranian and Chinese-backed groups to research into targets, improve scripts and help build social engineering techniques, as per a recently published research.
“Cybercrime groups, nation-state threat actors, and other adversaries are exploring and testing different AI technologies as they emerge, in an attempt to understand potential value to their operations and the security controls they may need to circumvent,” Microsoft said in a blog post today.
Russian military intelligence affiliate Strontium group is using the LLMs “to understand satellite communication protocols, radar imaging technologies, and specific technical parameters,” as per the report.
Hacking group APT28 or Fancy Bear, which has been active during the Russia-Ukraine war in Ukraine and targeted Hillary Clinton’s presidential campaign in 2016, was also named in the report.
Advertisement
The language models are being deployed for “basic scripting tasks, including file manipulation, data selection, regular expressions, and multiprocessing, to potentially automate or optimize technical operations,” Microsoft said.
AI tools like WormGPT and FraudGPT are being used to create malicious emails and cracking tools. Chinese hackers affiliated to the state are also using LLMs for research, scripting, translations, and refining existing tools.
While North Korean hacking group Thallium has been using LLMs to research publicly reported vulnerabilities and target organisations, do basic scripting and draft content for phishing, Iranian group Curium has also been using the language models for phishing emails, and even coding to avoid detection by antivirus applications.
Microsoft said the companies have been shutting down all accounts and assets associated with these hacking groups.
“At the same time, we feel this is important research to publish to expose early-stage, incremental moves that we observe well-known threat actors attempting, and share information on how we are blocking and countering them with the defender community,” Microsoft said, while warning against upcoming trends like voice impersonation.