How AI is being used by cybercriminals to launch APT attacks

Kaspersky reveals that AI is not limited to the creation of malicious software but is also employed throughout various stages of advanced cyberattacks, from reconnaissance to data exfiltration. The article highlights how AI can be used to craft convincing phishing messages, adapt malware behavior, enhance persistence techniques, and optimize data theft, emphasizing the importance of advanced security solutions, regular software updates, user training, and multi-factor authentication in defending against AI-assisted APT attacks.

1 September 2023 – While much attention has been given to the potential misuse of AI by humans to create malware, Kaspersky, a global leader in cybersecurity, sheds light on a broader and more concerning aspect – the use of Artificial Intelligence (AI) in various phases of sophisticated cyberattacks. Cybersecurity experts warn that AI is becoming a formidable ally for cybercriminals, assisting them throughout every stage of an attack.

Noushin Shabab, Senior Security Researcher for the Global Research and Analysis Team (GReAT) Asia Pacific at Kaspersky, emphasizes that AI’s application extends far beyond crafting malicious software. In particular, AI has emerged as a potent tool for orchestrating Advanced Persistent Threats (APTs), a highly targeted and intricate form of cyber assault.

Shabab explains, “Beyond malware development, AI can be used in various stages of a sophisticated cyberattack. Nowadays, APT actors combine sophisticated techniques to evade detection and employ stealthy methods to maintain persistence. New AI developments can be of assistance to cybercriminals from the reconnaissance stage to data exfiltration.”

The World of Advanced Persistent Threats (APTs):

The term “Advanced Persistent Threat” carries the implication of continuous, covert, and sophisticated hacking tactics, designed to infiltrate systems and remain undetected for extended periods, potentially causing significant harm.

One defining characteristic of an APT attack is the emphasis on maintaining ongoing access to the target system. Achieving this requires a meticulously orchestrated sequence of stages, including reconnaissance, resource development, execution, and data exfiltration.


Shabab reveals that there are currently at least 14 active APT groups operating in the Asia Pacific (APAC) region. Notably, one of these groups, Origami Elephant (also known as the DoNot team, APT-C-35, SECTOR02), has displayed a keen interest in acquiring domains and virtual private servers during the resource development phase. This threat actor has been particularly active in South Asia, targeting government and military entities in Pakistan, Bangladesh, Nepal, and Sri Lanka since early 2020.

AI plays a pivotal role during the reconnaissance phase. It assists threat actors in identifying and understanding potential targets by automating data analysis from sources like online databases and social media platforms. This enables the collection of vital information about the target’s personnel, systems, and applications, ultimately pinpointing weak entry points in the target’s network architecture.

In addition to its role in reconnaissance, AI also streamlines tasks associated with building the attack infrastructure, including the purchase of network assets, account creation, and compromising network infrastructure and accounts.

Initial Access:

Spear phishing remains the favored initial access technique for APT actors in APAC. Among the 14 active cybercriminal groups in the region, 10 rely on spear phishing to breach their target’s network.

AI proves invaluable during this phase, allowing cybercriminals to craft highly convincing and personalized phishing messages. These smart machines are trained to identify the optimal entry points into the target network and the most opportune times to launch attacks. AI analyzes network and system activity patterns, identifying windows of low security vigilance or high noise for launching phishing campaigns, increasing the chances of gaining initial access.

AI also enhances traditional brute-force attacks by intelligently selecting likely passwords based on patterns, dictionaries, and past breaches. By scrutinizing user behavior, social media activity, and personal information, AI algorithms make educated guesses about passwords, elevating the odds of successful access.

Execution and Persistence:

During the execution stage, AI exhibits the capability to adapt malware behavior in response to security measures, heightening the chances of a successful attack. AI-driven obfuscation techniques can create polymorphic malware, altering its code structure to evade detection.

AI-assisted command and scripting interpreters analyze the target environment, grasp system characteristics, and select optimal options for running malicious scripts or commands. AI-driven social engineering tactics further increase the likelihood of users interacting with malicious files, amplifying the success of the execution phase.

APT groups are renowned for their ability to maintain a presence within a network without detection. Shabab outlines two common techniques for achieving persistence: Scheduled Tasks/Jobs and Boot or Logon Autostart Execution.

During this stage, AI comes into play again, creating scripts best suited for executing malware based on user behavior analysis. Threat actors can also develop AI-powered malware capable of dynamically adjusting its persistence mechanisms in response to changes in the target environment.

AI-driven monitoring systems continuously track system changes and fine-tune persistence tactics, while AI-guided techniques manipulate Windows Registry entries to update persistence registry keys, eluding detection.

Data Exfiltration and Impact:

AI also plays a crucial role in stealthily and efficiently exfiltrating stolen data. AI analyzes network traffic patterns to blend seamlessly with regular network behaviors and determine the most suitable communication channels for data exfiltration. It optimizes obfuscation, compression, and encryption of stolen data to evade abnormal traffic detection.

However, this AI-enhanced efficiency can maximize the impact of cyberattacks, making it imperative for enterprises and organizations to bolster their defenses. Shabab offers several recommendations:

  1. Advanced Security Solutions: Implement advanced security solutions that monitor user and system behaviors, identifying deviations from normal patterns as potential signs of malicious activities.
  2. Regular Software Updates: Keep all software, applications, and operating systems up to date to mitigate vulnerabilities that attackers might exploit.
  3. User Training and Awareness: Provide comprehensive training to employees on cybersecurity best practices, including recognizing and avoiding social engineering attacks and phishing attempts.
  4. Multi-Factor Authentication (MFA): Enforce MFA for accessing critical systems and applications, reducing the risk of unauthorized access even if credentials are compromised.

For more information about Kaspersky’s advanced security solutions, interested customers can visit Kaspersky’s Enterprise Security.

Kaspersky will continue to explore the future of cybersecurity at the Kaspersky Security Analyst Summit (SAS) 2023, taking place in Phuket, Thailand, from October 25th to 28th. This event brings together esteemed anti-malware researchers, global law enforcement agencies, Computer Emergency Response Teams, and senior executives from various industries worldwide.

Author: Terry KS

Share This Post On