Google Identifies Gemini as Preferred Tool for State-Backed Cyber Operations

Artificial intelligence tools extend beyond everyday inconveniences like inflated gadget prices or inaccurate online searches; they also aid cybercriminals. According to Google, the favored large language model among state-affiliated attackers from nations including Russia, China, North Korea, and Iran is its own Gemini system.

Google's Threat Intelligence Group has released an extensive analysis labeling these activities as breaches of its service policies. The report outlines how operatives linked to these countries employ Gemini primarily for automated monitoring, pinpointing valuable objectives such as businesses, independence movements, and political opponents, along with potential security weaknesses. Groups tied to China and Iran have conducted advanced operations, such as refining malicious software code and crafting deceptive interactions. Notably, an Iran-connected team created a demonstration exploit targeting a prominent vulnerability in the WinRAR archiving software.

Large language models excel at analyzing and summarizing vast datasets, a capability powered by machine learning that surpasses what human teams could achieve in years. While this proves beneficial in legitimate areas like studying stars or treating diseases, it equally empowers cybercriminals by streamlining the labor-intensive task of detecting software flaws and gathering intelligence on potential victims and manipulation strategies.

A particularly illustrative case involves a collective known internally as APT31, which submitted a Gemini query posing as a security expert evaluating the Hexstrike MCP framework—a platform integrating artificial intelligence components with established cybersecurity utilities to assess risks and infiltration methods. Gemini lacks the ability to differentiate between ethical researchers and hostile intruders, as their methodologies often align closely, leading to identical responses despite Google's prohibition on such applications.

Beyond vulnerability probing, Gemini supports routine programming tasks, including developing and troubleshooting malware. The report further notes that actors from China, Iran, Russia, and Saudi Arabia leverage it to generate satirical content and ideological messaging, disseminated via online channels and traditional formats like printed materials.

In response, Google states it has blocked Gemini access for accounts it reliably flags as harmful, encompassing the observed government-linked cyber units.