Cybersecurity Today: State-Backed ChatGPT Misuse, Dark Gaboon Attacks, and Starlink Installation Controversy

Jim Love

OpenAI bans ChatGPT accounts used by state backed hackers. A new hacker group, Dark Gaboon, uses Lockbit ransomware to target Russian companies, ChatGPT helps unlock an Android tablet and Musk's Doge team installed Starlink into the White House despite security warnings. This is cybersecurity today. I'm your host Jim Love. OpenAI has shut down dozens of ChatGPT accounts linked to state sponsored threat actors from China, Russia, North Korea, Iran and the Philippines who were using the AI chatbot to develop malware, generate disinformation campaigns and conduct employment scams. The company released its latest threat Intelligence report this week documenting 10 distinct operations across three months that misused ChatGPT for malicious purposes. Chinese linked accounts were represented in four of the 10 operations, making China the most active nation in attempting to weaponize the AI platform. OpenAI attributed some accounts to well known Chinese hacking groups APT5 and APT15, known respectively as Keyhole Panda and Vixen Panda. These advanced persistent threat groups, which have been active since at least 2007 and 2010 respectively, used ChatGPT to assist with password brute forcing scripts, AI driven penetration testing and social media automation. OpenAI stated that multiple threat actors sought publicly available information on U.S. special Operations Command, satellite communications technologies and specific ground station terminal locations as well as government identity verification cards and networking equipment. Russian speaking threat actors used ChatGPT to develop Windows malware that OpenAI dubbed scope creep. The malware targeted video game players and included capabilities for privilege escalation, credential theft and Telegram based notifications to attackers. The Russian actors demonstrated operational security awareness, using temporary email addresses to sign up for ChatGPT accounts and limiting each account to single conversations about incremental code improvements before abandoning them. Chinese accounts generated bulk social media posts in English, Chinese and urdu covering divisive US political topics. The content appeared on TikTok X, Reddit, Facebook and other platforms, though most posts garnered little legitimate engagement. Russian accounts generated German language content about Germany's federal elections and anti NATO messaging. Iranian accounts produce similar geopolitical content while accounts from the Philippines created posts supporting President Ferdinand Marcos Jr's policies. North Korean threat actors used ChatGPT extensively for their well documented IT worker scheme, generating fake resumes and Personas to apply for remote jobs. The account's research tools to circumvent corporate security measures and maintain undetected remote access to company systems. OpenAI detected two types of operators core operators who automated resume creation based on job descriptions and contractors who performed actual work tasks using the fraudulent identities. Accounts linked to Cambodia's cybersecam industry generated recruitment messages in multiple languages, offering high paying jobs for simple tasks like liking social media posts. Cambodia has become the epicenter of cyber fraud operations where trafficked individuals are forced to conduct online scams. Despite the concerning activity, OpenAI emphasized the threat actors gained no novel capabilities they couldn't obtain elsewhere. We found no evidence that access to our models provided these actors with novel capabilities or directions that they could not otherwise have obtained from multiple publicly available resources, the company stated. China's Foreign Ministry told Reuters there is no basis for OpenAI's claims, saying China has consistently opposed the misuse and abuse of artificial intelligence technology. OpenAI said it shared threat indicators with industry partners and continues monitoring for malicious activity as part of its AI safety efforts. We tend to think of Russia as the home to cybercrime groups where they're immune from prosecution, but a cybercrime group dubbed Dark Gaboon has been targeting Russian Companies with Lockbit 3.0 ransomware since 2023. Operating independently from traditional ransomware as a service networks. The group was first identified by Russian cybersecurity firm Positive Technologies in January, but researchers have traced its operations back to 2023. Dark Gaboon has targeted Russian organizations across banking, retail, tourism and public services sectors. In the latest spring campaign, Dark Gaboon deployed Lockbit 3.0 ransomware against Russian victims. The group uses a version that was publicly leaked in 2022 and is now employed by numerous cybercriminals. But unlike Lockbit affiliates operating under the ransomware as a service model, Dark Gaboon appears to function independently. Dark Gaboon relies on phishing emails written in Russian, crafted to appear urgent and directed at employees in financial department. The malicious attachments are disguised as legitimate financial documents based on templates downloaded from legitimate Russian language sources. These decoy files have remained relatively unchanged since 2023, but once inside a victim's network, the group deploys Lockbit 3.0 to encrypt files and leaves behind a ransom note in Russian containing two contact email addresses. Researchers found no signs of data exfiltration during these recent incidents. The group uses open source tools including revengerat, exworm and Lockbit ransomware to blend in with broader cybercriminal activity, making attribution difficult. Positive Technology said they could not identify the individuals behind Dark Gaboon, but said the perpetrators are likely fluent in Russian. The same email addresses and current ransom notes were previously linked to lock bit based attacks on Russian financial institutions between March and April 2023. Positive Technologies was sanctioned by the US in 2021 for allegedly providing IT support to Russian civilian and military intelligence agencies. The company has denied these allegations as groundless. Russian entities have previously been targeted with lock bit variants, including a December attack on the largest dairy processing plant in southern Siberia. Elon Musk's Department of Governmental Efficiency the Doge team installed a Starlink satellite Internet terminal at the White House, reportedly without informing communications security staff, potentially allowing data transmission outside normal tracking systems. The Doge team installed the Starlink terminal on the roof at the Eisenhower Executive Office Building in February with the approval from the Trump administration but against the concerns of security officials, according to the Washington Post. The installation raised alarms among security experts who worried the system could bypass White House data tracking and monitoring systems. The officials in charge of protecting the White House communications were not informed of the installation ahead of time, insiders told the Post. With a Starlink connection, that means White House devices could leave the network and go outside the gateways, a person familiar with Matter told the Daily Beast. It's going to help you bypass security. Doge officials said the Starlink installation was intended to address Internet dead zones on the White House campus. However, the move created a separate network that bypassed traditional White House security protocols that track data transmission with names and timestamps. A Starlink guest WI FI network appeared on White House phones in February, requiring only a password rather than the usual username and second form of authentication typically required for White House guest networks. The network was still appearing on White House visitors phones this week, according to the Washington Post. The installation initially triggered a confrontation between Doge employees and the Secret Service, though the Secret Service later downplayed their security concerns, secret Service spokesperson Anthony Googly Elmi told the Washington Post. We were aware of Doge's intentions to improve Internet access on the campus and did not consider this matter a security incident or a security breach. The White House referred questions to the Secret Service, which said it could not discuss specific technology systems for security reasons. The Starlink installation is part of a broader pattern of Doge accessing sensitive government data systems at other agency Doge staffers have demanded deep access to data and disabled logging that tracked what they did with it. In April, a whistleblower at the National Labor Relations Board accused Doge of a significant cybersecurity breach, alleging the team accessed sensitive data while requesting their activities not be logged and attempting to cover their tracks. We covered that story in an interview with a whistleblower. Starlink is operated by Musk's SpaceX company and Musk has since stepped back from his government role as his relationship with Trump has deteriorated. A hardware Enthusiast successfully used ChatGPT to modify a locked Android tablet's BIOS, bypassing factory reset protection and Secure boot to install Windows 10 and Linux on the previously unusable device. XDA forum member device Modder documented the breakthrough with a Panasonic ToughPad FZ, a two tablet that was locked with factory reset protection, which ties devices to user accounts and prevents unauthorized use after factory resets. The Modder used a $14 CH341A Flash programmer to extract the tablet's UEFI BIOS and then uploaded the binary file to ChatGPT with instructions to completely disable Secure Boot and remove Panasonic's proprietary security keys. The AI successfully modified the BIOS code, allowing the modder to reflash the firmware back to the device. The modder wrote, to my knowledge, there's no information on the hack I did online and I might be the first person to attempt this, explaining that the tablet's secure boot keys were designed to only run Android and blocked any attempts to boot from external drives. After flashing the Chat GPT modified BIOS, the tablet successfully booted Linux, Mint and later Windows 10. However, some hardware components, including the touchscreen cameras, barcode reader and audio systems still have compatibility issues requiring additional driver work. So on the plus side, the technique could potentially help unlock thousands of X corporate devices sitting unused in secondary markets due to forgotten firmware passwords or FRP locks. Used device marketplaces contain numerous laptops and tablets rendered unusable by such security measures. However, security experts note it also raises questions about the robustness of firmware level protections when AI tools can potentially identify and disable security measures. The modders shared details of the process to help others potentially recover similar locked devices for legitimate reuse. And that's our show. Love to hear from you. You can reach us at editorialech, newsday, ca or if you're watching this on YouTube, just leave a comment under the video. And if you find the content helpful or enjoyable, please consider going to buymeacoffee.comtechpodcast that's buymeacoffee.com techpodcast and buy us a coffee. It really helps with the cost of producing the shows. I'm your host Jim Love. Thanks for listening.