Hackers and propagandists are wielding artificial intelligence (AI) to create malicious software, draft convincing phishing emails and spread disinformation online, Canada’s top cybersecurity official told Reuters, early evidence that the technological revolution sweeping Silicon Valley has also been adopted by cybercriminals.
In an interview this week, Canadian Centre for Cyber Security Head Sami Khoury said that his agency had seen AI being used “in phishing emails, or crafting emails in a more focused way, in malicious code (and) in misinformation and disinformation.”
Khoury did not provide details or evidence, but his assertion that cybercriminals were already using AI adds an urgent note to the chorus of concern over the use of the emerging technology by rogue actors.
In recent months several cyber watchdog groups have published reports warning about the hypothetical risks of AI — especially the fast-advancing language processing programs known as large language models (LLMs), which draw on huge volumes of text to craft convincing-sounding dialogue, documents and more.
In March, the European police organization Europol published a report saying that models such as OpenAI‘s ChatGPT had made it possible “to impersonate an organisation or individual in a highly realistic manner even with only a basic grasp of the English language.” The same month, Britain’s National Cyber Security Centre said in a blog post that there was a risk that criminals “might use LLMs to help with cyber attacks beyond their current capabilities.”
Cybersecurity researchers have demonstrated a variety of potentially malicious use cases and some now say they are beginning to see suspected AI-generated content in the wild. Last week, a former hacker said he had discovered an LLM trained on malicious material and asked it to draft a convincing attempt to trick someone into making a cash transfer.
The LLM responded with a three paragraph email asking its target for help with an urgent invoice.
“I understand this may be short notice,” the LLM said, “but this payment is incredibly important and needs to be done in the next 24 hours.”
Khoury said that while the use of AI to draft malicious code was still in its early stages — “there’s still a way to go because it takes a lot to write a good exploit” — the concern was that AI models were evolving so quickly that it was difficult to get a handle on their malicious potential before they were released into the wild.
“Who knows what’s coming around the corner,” he said.
