Open AI Bans ChatGPT Accounts used by state backed hackers. A new hacker group, dark Gaboon uses locked bit ransomware to target Russian companies. ChatGPT helps unlock an Android tablet and Musk's DOGE team installed starlink at the White House despite security warnings. This is cybersecurity today.
I'm your host, Jim Love. OpenAI has shut down dozens of ChatGPT accounts linked to state-sponsored threat actors from China, Russia, North Korea, Iran, and the Philippines, who were using the AI chat bot to develop malware, generate disinformation campaigns, and conduct employment scams. The company released its latest threat intelligence report this week, documenting 10 distinct operations across three months that misused ChatGPT for malicious purposes.
Chinese linked accounts were represented in four of the 10 operations, making China the most active nation in attempting to weaponize the AI platform. Open AI attributed some accounts to well-known Chinese hacking groups, APT 5, and APT 15, known respectively as Keyhole Panda and Vixen Panda. . These advanced persistent threat groups, which have been active since at least 2007 and 2010 respectively.
Used ChatGPT to assist with password brute forcing scripts, AI driven penetration testing and social media automation. OpenAI stated that multiple threat actors sought publicly available information on US Special operations command, satellite communications technologies, and specific ground station terminal locations, as well as government identity verification cards and networking equipment. Russian speaking threat.
Actors used ChatGPT to develop Windows malware that OpenAI dubbed Scope Creep, the malware targeted video game players, and included capabilities for privilege escalation, credential theft, and telegram based notifications to attackers. The Russian actors demonstrated operational security awareness Using temporary email addresses to sign up for ChatGPT accounts, and limiting each account to single conversations about incremental code improvements before abandoning them.
Chinese accounts generated bulk social media posts in English, Chinese, and Urdu covering divisive US political topics. The content appeared on TikTok X, Reddit, Facebook, and other platforms.
Though most posts garnered little legitimate engagement, Russian accounts generated German language content about Germany's federal elections and anti NATO messaging, and Iranian accounts produced similar geopolitical content While accounts from the Philippines created posts supporting President Ferdinand Marcos Jr's policies North Korean threat actors used ChatGPT extensively for their well-documented IT worker scheme generating fake resumes and personas to apply for
remote jobs, the accounts research tools to circumvent corporate security measures and maintain undetected remote access to company systems. Open AI detected two types of operators, core operators who automated resume creation based on job descriptions and contractors who performed actual work tasks using the fraudulent identities.
Accounts linked to Cambodia's cyber scam industry generated recruitment messages in multiple languages, offering high paying jobs for simple tasks like liking social media posts. Cambodia has become the epicenter of cyber fraud operations where trafficked individuals are forced to conduct online scams. Despite the concerning activity, OpenAI emphasized the threat actors gained no novel capabilities they couldn't obtain elsewhere.
We found no evidence that access to our models provided these actors with novel capabilities or directions that they could not otherwise have obtained from multiple publicly available resources. The company stated. China's foreign ministry told Reuters there is no basis for open AI's claims saying China has consistently opposed the misuse and abuse of artificial intelligence technology.
OpenAI said it shared threat indicators with industry partners and continues monitoring for malicious activity as part of its AI safety efforts. We tend to think of Russia as the home to cybercrime groups where they're immune from prosecution. But a cybercrime group dubbed Dark Gaboon has been targeting Russian companies with lock bit 3.0 ransomware since 2023. Operating independently from traditional ransomware as a service networks.
The group was first identified by Russian cybersecurity firm, Positive Technologies in January, but researchers have traced its operations back to 2023. Dark Gaboon has targeted Russian organizations across banking, retail, tourism, and public services sectors. In the latest spring campaign, Dark Gaboon deployed lock bit 3.0 ransomware against Russian victims. The group uses a version that was publicly leaked in 2022 and is now employed by numerous cyber criminals.
But unlike lock bit affiliates operating under the ransomware as a service model, Dark Gaboon appears to function independently. Dark Gaboon relies on phishing emails written in Russian, crafted to appear urgent and directed at employees in financial departments. The malicious attachments are disguised as legitimate financial documents based on templates downloaded from legitimate Russian language sources. These decoy files have remained relatively unchanged since 2023.
But once inside a victim's network, the group deploys Lockbit 3.0 to encrypt files and leaves behind a ransom note in Russian containing two contact email addresses. Researchers found no signs of data exfiltration during these recent incidents. The group uses open source tools, including Revenge, Rat X worm, and Lockbit ransomware to blend in with broader cyber criminal activity making attribution difficult.
Positive technology said they could not identify the individuals behind dark Gaboon, but said the perpetrators are likely fluent in Russian. The same email addresses and current ransom notes were previously linked to Lockbit based attacks on Russian financial institutions between March and April, 2023. Positive Technologies was sanctioned by the US in 2021 for allegedly providing IT support to Russian civilian and military intelligence agencies.
The company has denied these allegations as groundless Russian entities have previously been targeted with Lockbit variance, including a December attack on the largest dairy processing plant in southern Siberia. Elon Musk's Department of Governmental Efficiency. The DOGE team installed a Starlink satellite internet terminal at the White House, reportedly without informing communication, security staff potentially allowing data transmission outside normal tracking systems.
The DOGE team installed the Starlink terminal on the roof at the Eisenhower Executive Office building in February with the approval from the Trump administration, but against the concerns of security officials. According to the Washington Post, The installation raised alarms among security experts who worried the system could bypass White House data tracking and monitoring systems.
The officials in charge of protecting the White House communications were not informed of the installation ahead of time. Insiders told the post with A starlink connection. That means White House devices could leave the network and go outside the gateways. A person familiar with the matter told the Daily Beast, it's going to help you bypass security. DOGE officials said the Starlink installation was intended to address Internet dead zones on the White House campus.
However, the move created a separate network that bypassed traditional White House security protocols that track data transmission with names and timestamps. A Starlink guest wifi network appeared on White House phones in February requiring only a password rather than the usual username and second form of authentication typically required for White House guest networks. The network was still appearing on White House visitors phones this week according to the Washington Post.
The installation initially triggered a confrontation between DOGE employees and the Secret Service, though the Secret Service later downplayed their security concerns. Secret Service spokesperson, Anthony Guglielmi told the Washington Post, we were aware of DOGE's intentions to improve internet access on the campus and did not consider this matter a security incident or a security breach.
The White House referred questions to the Secret Service, which said it could not discuss specific technology systems for security reasons. The Starlink installation is part of a broader pattern of DOGE accessing sensitive government data systems. At other agency, DOGE staffers have demanded deep access to data and disabled logging that tracked what they did with it.
In April, a whistleblower at the National Labor Relations Board accused DOGE of a significant cybersecurity breach alleging the team access sensitive data while requesting their activities not be logged and attempting to cover their tracks. We covered that story in an interview with a whistleblower.
Starlink is operated by Musk's, SpaceX company, and Musk has since stepped back from his government role as his relationship with Trump has deteriorated A hardware enthusiast successfully used ChatGPT to modify a locked Android tablet's bios bypassing factory reset protection and secure boot to install Windows 10 and Linux on the previously unusable device. XDA forum member Devicemodder documented the breakthrough with a Panasonic. Tough Padd FZ.
A two tablet that was locked with factory reset protection. FRP, which ties devices to user accounts and prevents unauthorized use after factory resets. The modder used a $14 CH 3 4 1. A flash programmer to extract the tablet's UEFI BIOS, and then uploaded the binary file to ChatGPT with instructions to completely disable secure boot and remove Panasonic's proprietary security keys. The AI successfully modified the BIOS code, allowing the model to reflash the firmware back to the device.
The modder wrote to my knowledge, there's no information on the hack I did online, and I might be the first person to attempt this explaining that the tablet's secure boot keys were designed to only run Android and blocked any attempts to boot from external drives. After flashing the ChatGTP modified BIOS, the tablet successfully booted Linux mint and later Windows 10.
However, some hardware components including the touchscreen cameras, barcode reader, and audio systems still have compatibility issues requiring additional driver work. So on the plus side, the technique could potentially help unlock thousands of ex corporate devices sitting unused in secondary markets due to forgotten firmware passwords or FRP locks. Use device marketplaces contain numerous laptops and tablets rendered unusable by such security measures. However. Security experts note.
It also raises questions about the robustness of firmware level protections when AI tools can potentially identify and disable security measures. The mod shared details of the process to help others potentially recover similar lock devices for legitimate reuse, and that's our show. Love to hear from you.
You can reach us at [email protected], or if you're watching this on YouTube, just leave a comment under the video and if you find the content helpful or enjoyable, please consider going to buy me a coffee.com/tech podcast. That's buy me a coffee.com/tech podcast and buy us a coffee. It really helps with the cost of producing the shows. I'm your host, Jim Love. Thanks for listening.