AI/ML

AI helps Russian-speaking GreyVibe run five parallel attack chains on Ukrainian targets

Ukraine hacked state security. Cyberattack on the financial and banking structure. Theft of secret information. On a background of a flag the binary code.

A Russian-speaking group called GreyVibe operating in the Moscow time zone has been using AI platforms such as Ideogram AI, ChatGPT, and Google Gemini to launch attacks, underscoring the use by threat actors of commonly used AI tools. 

In a May 28 blog post, WithSecure researchers said the threat group uses custom-developed obfuscators generating fake content to drop loaders and malware that attacks military, government, civilian, and business organizations in the Ukraine across five common attack chains: PhantomMail, PhantomClick, Princess Club, DroneLink, and Nebo.

“What's notable about GreyVibe isn't that the attack chains are entirely new — it's that AI is helping threat actors industrialize them,” said Shane Barney, chief information security officer at Keeper Security. “AI allows adversaries to create more convincing phishing lures, fake websites, personas and social-engineering content at a scale and speed that would have required exponentially more resources in the past. The result is that attacks become more personalized, more believable and harder for users to distinguish from legitimate communications.”

Barney said organizations should assume that AI-assisted phishing and credential theft campaigns will continue to increase. Security teams need to focus on identity-first defenses, including strong password management, phishing-resistant multi-factor authentication, least-privilege access controls and continuous monitoring of privileged accounts. Barney added that AI may make social engineering more effective, but the fundamental goal remains the same: stealing credentials and gaining access.

Sergio Villegas, senior managing analyst II at Bishop Fox, added that AI and LLM technologies make it faster for threat actors to weaponize campaigns and adapt better to regional environments. Villegas said automating tedious tasks has become popular in these type of encounters, and creating custom-tailored documents for luring is not unheard of: speed and accuracy becomes the biggest change.

“The ability to repurpose or rebuild malicious infrastructure at scale is becoming easier as well,” said Villegas. “Takedowns and seizures of Cloud and SaaS asset types are less of a concern and risk for threat groups since they can keep moving, again speeding up and by consequence elevating the level of resilience by them.”

Yagub Rahimov, chief executive offier at Polygraf AI, explained that the useful read on WithSecure's GreyVibe report is not that another group adopted generative AI: it’s that AI has compressed the time, headcount, and expertise an operation needs to reach production scale.

“A group WithSecure assesses as below mature nation-state tradecraft still sustained five parallel, regionally tailored campaigns against Ukrainian targets,” said Rahimov. “For warfighters and cyber defenders, that widens the planning assumption considerably. Actors capable of credible, sustained operations are growing faster than the actors with elite skills. The same technology is available for the good and bad actors.”

Ram Varadarajan, chief executive officer at Acalvio, said the integration of AI essentially gives these hackers a major superpower, letting them churn out incredibly convincing, customized fake content and slick custom malware code at a speed and scale we haven't seen before.

“To fight back, security teams need to look past basic red flags,” said Varadarajan. “Really step up employee training to catch these hyper-realistic scams, and use smart behavioral tools that can spot weird malware activity in real-time. In the end, we'll have to meet a bot with a bot.”

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds