Google: State-Sponsored Hackers Now Use AI at Every Stage of the Cyberattack Cycle

A new report from Google found evidence that state-sponsored hacking groups have leveraged AI tool Gemini at nearly every stage of the cyber attack cycle.

Key Findings

The research underscores how AI tools have matured in their cyber offensive capabilities, even as it does not reveal novel or paradigm-shifting uses of the technology.

John Hultquist, chief analyst at Google's Threat Intelligence Group, noted that many countries still appear to be experimenting with AI tools, determining where they best fit into the attack chain and provide more benefit than friction.

"Nobody's got everything completely worked out," Hultquist said. "They're all trying to figure this out and that goes for attacks on AI, too."

How Nation-States Are Using Gemini

The report reveals that frontier AI models can build speed, scale, and sophistication into a myriad of hacking tasks. Specific documented uses include:

North Korea synthesizing open-source intelligence about job roles and salary information at cybersecurity and defense companies
A North Korean group consulting Gemini "multiple days a week" for technical support and malware generation
An Iranian APT using it to "significantly augment reconnaissance" techniques
China, Russia, Iran, and North Korea all using Gemini to create fake articles, personas, and other assets for information operations

Current Limitations

No instances of state groups using Gemini to automate large portions of cyber attacks were found, suggesting threat actors may still struggle to implement fully or mostly-automated hacks using AI.

Hultquist indicated that espionage-focused state groups may not prioritize the speed and scale advantages of agentic AI if it results in louder, more detectable operations.

Future Outlook

While state actors continue experimenting with AI models, analysts believe these developments will help smaller cybercriminal outfits more than state-sponsored hackers on average. However, this dynamic could shift as frontier AI companies develop models with powerful defensive cybersecurity capabilities that foreign governments could repurpose for offensive hacking.

The UK AI Security Institute's inaugural report on frontier AI trends found that "the duration of cyber tasks that AI systems can complete without human direction is also rising steeply, from less than 10 minutes in early 2023 to over an hour by mid-2025."