Prompt-Engineering Nation-State Attacks: Meet the Cyber Av3ngers
An ABCbyD Threat Actor Profile
Introduction: A New Cyber Frontier with AI
AI is accelerating in cybersecurity—and not just on the defensive side. Nation-state actors are now deploying AI to automate attacks at scale. A recent report that caught my attention details how Cyber Av3ngers, a sophisticated threat actor, used ChatGPT to design and refine exploits targeting industrial control systems (ICS).
This situation is not a new phenomenon. We have heard reports of (and I myself have positioned) the implications of how AI is going to impact cyber offensive capabilities. Given the scope of this campaign, what stood out to me is the speed and scale at which these attacks can now be executed.
Attacks that previously required months to years of manual effort are now achievable within days, compressing the attack lifecycle. The Cyber Av3ngers are pushing the boundaries of nation-state operations, combining AI tools to mimic advanced campaigns like those of Volt Typhoon but with far greater efficiency and automation.
This week’s ABCbyD will dig into the implications of the Cyber Av3ngers attack (including who they are), what AI is actually allowing attackers to do, and what we might expect given the rise of AI-enabled cyberattacks.
To be clear, the sky isn’t falling, and Skynet doesn’t exist. But AI is lowering the bar for sophisticated adversarial intrusions’ velocity and voracity. Let’s dive in!
Who Are the Cyber Av3ngers?
The Cyber Av3ngers are an Iranian-backed hacking group, officially identified as G1027 in the MITRE ATT&CK framework. Unlike financially motivated attackers, their objective is long-term operational disruption, often targeting critical infrastructure like water utilities. Their campaigns blend espionage and sabotage, aligning their attacks with geopolitical goals and Iranian state interests.
The U.S. government recognizes the danger they pose, offering bounties for information leading to their identification. Operating at the intersection of cyber warfare and espionage, the Cyber Av3ngers aim to disrupt services and project influence by compromising vital infrastructure, raising the stakes for defenders.
Notable Breaches by the Cyber Av3ngers
The Cyber Av3ngers have been active since 2020, here are two examples from November 2023 of attacks they have conducted here in the good ol’ US of A. Note that here their targets are critical infrastructure systems.
Municipal Water Authority Attack:
The Cyber Av3ngers compromised a Unitronics PLC at the Municipal Water Authority of Aliquippa by exploiting weak or default passwords and targeting the default programming port. Once inside, they renamed the PLC to "Gaza" and defaced the system interface, disrupting normal operations and making it clear the attack was politically motivated.
Multiple Water and Wastewater Systems Breaches:
This attack targeted multiple U.S.-based Water and Wastewater Systems (WWS) facilities running Unitronics Vision Series PLCs. Notably, the attackers displayed a defacement message on the compromised systems:
"You have been hacked, down with Israel. Every equipment 'made in Israel' is Cyberav3ngers legal target."
By exploiting default credentials and internet-exposed devices, the Cyber Av3ngers achieved system defacement and operational disruption, raising alarms across the industry about the vulnerabilities of OT devices in critical infrastructure sectors.
How AI Enables Their Cyber Operations
The Cyber Av3ngers use AI tools to automate every phase of the attack lifecycle, enhancing both speed and efficiency. Their approach includes:
Reconnaissance: ChatGPT-generated scripts rapidly scan infrastructure for vulnerabilities, cutting down mapping efforts from weeks to minutes.
Lateral Movement: Automated scripts facilitate cross-network access, giving attackers persistent control over multiple systems.
Command and Control (C2) Channels: AI-generated commands obfuscate communications, making it harder for defenders to detect malicious activity.
This automation reduces the need for human intervention, allowing attackers to focus on evading detection and customizing payloads to suit each environment.
An AI-Based Obfuscation Example
To illustrate the ease with which AI can enable attacks, I recently asked ChatGPT to generate a base64-encoded PowerShell script. A caveat, this attack was relatively simple - write and obfuscate a powershell script to scan for open ports on my network and ping listening devices for a status report.
Attackers will use PowerShell to do this for:
Reconnaissance: identify active hosts and open ports on a network, providing a roadmap for further exploitation.
Vulnerability Scanning: After identifying open ports, attackers may scan these ports for known vulnerabilities or weak services, allowing them to gain unauthorized access or move laterally within a network.
Denial of Service (DoS): Scripts that automatically ping or connect to devices en masse can be used to flood a network, potentially causing performance issues or denial-of-service conditions.
C2 Establishment: The ability to identify and connect to open ports could assist attackers in establishing command-and-control (C2) channels.
The output? Exactly what I was looking for, in 5 seconds. Pre-GPT this could’ve taken 30 to 90 minutes, and a few different tools. To put this in perspective, I just improved my efficacy by 1080x (or 108,000%).
While this is a low-stakes example, having the capability I just scripted up can easily be repurposed to establish command-and-control channels —the backbone of many sophisticated attacks.
Screenshot: my truncated Base64 command
In short: AI significantly lowers barriers to entry, making it easier for attackers with minimal technical expertise to launch high-level campaigns.
The math is simple:
(More attackers + faster automation)*iteration = more sophisticated attacks
Key Trends in AI-Driven Cyberattacks
Recent findings from ISACA indicate the following trends:
AI-Driven Attacks on the Rise: Attacks powered by AI are expected to increase by 50% by the end of 2024 compared to 2021 levels.
Advanced Phishing Campaigns: AI will fuel highly personalized phishing emails and deep fakes, making social engineering attacks more convincing and harder to detect.
AI-Powered Malware: Attackers are developing adaptive malware capable of evolving to avoid detection by security tools.
Cloud and IoT Exploits: With more devices connected to the cloud, AI is increasingly used to target IoT ecosystems and cloud services.
Automated Espionage: AI enhances espionage operations, allowing attackers to automate data extraction and analyze large datasets efficiently.
Again, the sky isn’t falling, but it’s good to be aware of these trends. AI is here to stay, and bad guys have shown a track record of using AI for nefarious purposes and consistent iteration. As we like to say in industry when it comes to how attackers target your defenses “the best way to build a 14 foot ladder is to build a 13 foot fence.”
It’s up to us to think about how we can leverage AI and the automation advantages it provides to improve our defenses against the rising tide of attacks.
Conclusion: Automation Cuts Both Ways
The Cyber Av3ngers exemplify how AI is reshaping cyber warfare. Their use of automation and AI tools underscores the importance of speed, precision, and scale in modern cyber operations. As attackers adopt these technologies, defenders must stay ahead by leveraging the same tools and strategies.
AI alone is not a silver bullet, but it can provide defenders with the edge needed to keep pace with evolving threats. The race is on—those who harness AI effectively will stay secure, while those who don’t risk falling behind in the face of automated, sophisticated attacks.
Stay secure and stay curious!
Damien
References
The Cyber Express. (n.d.). CyberAv3ngers use ChatGPT to plan ICS attacks
MITRE ATT&CK. (n.d.). G1027 Group Profile
Rewards for Justice. (n.d.). Reward for information on Iranian hackers targeting water utilities
ISACA. (2024). AI-Powered Cybersecurity to Tackle AI-Driven Cyberattacks