On the occasion of Google Cloud Next, Google Threat Intelligence provided an overview of cyber threats linked to AI. Hackers are no longer content with experimenting: they are scaling up.
Doctolib already entrusted us in June 2024 having been the victim of a semi-AI-assisted attack. An early case, isolated at the time or at least perceived as such. Now, Sandra Joyce, vice-president of Google Threat Intelligence is clear: this type of attack is no longer exceptional. During a press briefing devoted to new threats fromartificial intelligenceshe draws up an observation that many companies still refuse to hear. Hackers no longer experiment with AI, they industrialize it. And the groundswell has not yet broken.
AI-driven malware used by Russia
Sandra Joyce is direct, we are in “a drizzle before the storm”. The cases documented by Google Threat Intelligence are quite staggering. The most striking example? Malware deployed by the GRU, Russian military intelligence. A special feature is that it does not ship its orders hard. When executing on the compromised machine, the malware queries an LLM hosted in China to decide its next actions. Very concretely, the malware would adapt to the environment it discovers and thus render traditional detection signatures largely ineffective.
Second case, on the Chinese side this time: a cyber-espionage campaign in which most of the tactical decisions (choice of targets, lateral movements, exfiltration) were delegated to an AI system. “The operation was mainly orchestrated by AI, with occasional human intervention,” summarizes Sandra Joyce. This is, to his knowledge, the first publicly documented campaign of this nature.
The collapse of the barrier to entry
But the most worrying signal is, according to Sandra Joyce, the collapse of the entry barrier for newcomers. On the dark web forums that her teams monitor, “there are now marketplaces that sell all kinds of tools to hijack AI: fraudulent access to large model APIs, supposedly unbridled LLMs, turnkey attack tools,” she lists. She cites by name an open source tool, HexStrike AI MCP Agents, which aggregates around 150 offensive programs in a single interface: recognition, exploitation of vulnerabilities, post-exploitation, exfiltration.
Everything works thanks to MCP servers. “This allows a single person to truly scale up their use of malicious tools. “In other words, a lone attacker now has the operational power of a small, structured team. “It would almost be unwise to assume that bad actors don’t already have access to these capabilities. If they don’t already have it, they are looking to obtain it,” says the VP.
Claude Mythos, a false problem?
In recent weeks, the industry has focused on MythosAnthropic’s model capable of discovering and exploiting vulnerabilities autonomously, presented as dangerous enough not to be widely distributed. The vice-president of Google Threat Intelligence brushes the subject aside. “It’s a very powerful model, but I don’t think the other models are very far behind,” she says. And remember that Google did the same thing last year with its agent Big Sleep, which discovered a zero-day vulnerability in SQLite before malicious actors could exploit it.
The real problem is therefore not Mythos itself, but what revolves around it. Open source models with equivalent capabilities “already exist and are accessible to everyone, without any safeguards”. On the dark web, some are even offered pre-configured for offensive uses. “Put yourself in the position of a malicious actor who wants to carry out espionage, sabotage or theft. Why would you go and use a model that has all the protections and safeguards? You would rather go for something with holes everywhere, and you would start there,” she says, directly evoking the case of new open source AI models.
With AI, new markets for ransomware
More surprisingly, LLMs also allow ransomware hacker groups to target new markets. Historically, ransomware groups have heavily targeted English-speaking countries, due to a lack of means to produce credible phishing messages in other languages at scale. With generative models, this friction no longer exists. Sandra Joyce confirms a very clear shift: “We have seen a very significant increase,” she indicates, pointing to Germany, which has even surpassed the United Kingdom, formerly the most targeted country in the world. And the vice-president of Google Threat Intelligence insists, it is no longer just large groups that are targeted, but the Mittelstand, the German industrial backbone.
Sandra Joyce concludes with a formula that sums up the paradox of the moment: “If there were no malicious actors, this would be a wonderful moment for cybersecurity. “The same tools that industrialize the attack could in fact equip defenders with an unprecedented capacity: continuous code scanning, real-time vulnerability detection, automated remediation. The race is now a question of timing. Today, defenders still have a head start over the majority of malicious actors. But until when? “We must put ourselves in the state of mind that we must be ready for the day, very soon, when malicious actors will have full access to these capabilities,” she warns.
