OpenAI has announced on Friday that it blocked a series of accounts linked to what it called an Iranian black market influence operation, which used ChatGPT (a tool from OpenAI) to generate content focused on, among other things, the upcoming US presidential election.
How OpenAI Foiled an Iranian-Influenced Hack
“This week we identified and disabled a group of ChatGPT accounts that were generating content for an Iranian covert influence operation identified as Storm-2035“, has declared OpenAI who later added: “The operation used ChatGPT to generate content focused on a range of topics, including comments about candidates of both parties in the U.S. presidential election, which were then shared via social media accounts and websites.”
Artificial intelligence (AI) firm OpenAI said the content failed to garner significant engagement, with most social media posts receiving little or no likes, shares and comments; He further claimed to have found little evidence that long-form articles created using ChatGPT were shared on social media platforms..
The content of articles created with OpenAI’s own tool
The articles covered U.S. politics and global events, and were published on five different websites that presented themselves as liberal and conservative news outlets, indicating an attempt to target people on both sides of the political spectrum.
OpenAI said its ChatGPT tool It was used to create comments in English and Spanish, which were then posted to a dozen accounts on X and one on Instagram and that some of those comments were generated by asking its AI models to rewrite comments posted by other social media users.
“The operation generated content on various topics: mainly, the conflict in Gaza, Israel’s presence at the Olympic Games and the US presidential elections, and to a lesser extent politics in Venezuela.Latinx rights in the United States (both in Spanish and English), and Scottish independence“, OpenAI said, adding: “They interspersed their political content with comments on fashion and beauty, perhaps to appear more authentic or in an attempt to build a following..”
The Hacker Group That OpenAI Preemptively Thwarted
Storm-2035 was also one of the cybercriminal groups highlighted last week by Microsoft, which described it as an Iranian network “actively engaged with groups of US voters at opposite ends of the political spectrum with polarizing messages on issues such as U.S. presidential candidates, LGBTQ rights, and the Israel-Hamas conflict.”
Some of the fake news and commentary sites created by the group include EvenPolitics, Nio Thinker, Savannah Time, Teorator, and Westland Sun; these sites have also been found to use AI-enabled services to plagiarize some of their content from US-based publications.
It is believed that this group has been active since at least 2020.
Microsoft also has warned of an increase in foreign malign influence activities targeting the U.S. elections over the past six months by Iranian and Russian networks, the latter traced to groups identified as Ruza Flood (also known as Doppelganger), Storm-1516, and Storm-1841 (aka Rybar).
“Doppelganger spreads and amplifies fabricated, false or even legitimate information through social networks“, has affirmed the French cybersecurity company HarfangLab. “To do this, social media accounts post links that start a chain of obfuscated redirects leading to the final content sites..”
Articles “written” via compromised accounts
However, there are signs that the propaganda network is changing tactics in response to more aggressive enforcement of the rules, increasingly using non-political posts and ads and spoofing non-political news and entertainment sites such as Cosmopolitan, The New Yorker and Entertainment Weekly in an effort to evade detection, according to Meta.
Posts contain links that, when clicked, redirect users to an article about the war in Russia or geopolitics on one of the spoofed domains that mimic entertainment or health publications; ads are created using compromised accounts.
The social media company, which has disrupted 39 influence operations from Russia, 30 from Iran and 11 from China on its platforms since 2017, said it discovered six new networks from Russia (4), Vietnam (1) and the United States (1) in the second quarter of 2024.
After OpenAI, the word goes to META and Google
“Since early May, Doppelganger has resumed its attempts to share links to its domains, but at a much slower rate.“, has said Half. “We have also seen experiments with multiple redirect steps, including the URL shortening service. TinyURL link to hide the final destination behind the links and fool both Meta and our users in an attempt to avoid detection and lead people to their off-platform websites.”
The development comes as Google’s Threat Analysis Group (TAG) also said this week that it had detected and disrupted Iranian-backed spear-phishing efforts aimed at compromising the personal accounts of high-profile users in Israel and the United States, including those associated with U.S. presidential campaigns.
The activity has been attributed to a cybercriminal group called APT42a state-sponsored hacking group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). It is known to share overlaps with another hacking group known as Charming Kitten (aka Mint Sandstorm).
“APT42 uses a variety of different tactics as part of their email phishing campaigns, including malware hosting, phishing pages, and malicious redirects.“, has said the tech giant. “They usually try to abuse services like Google (e.g. Sites, Drive, Gmail and others), Dropbox, OneDrive and others for these purposes..”
The strategy of cyber criminals
The general strategy is to gain the trust of their targets by using sophisticated social engineering techniques with the aim of getting them out of their email and into instant messaging channels such as Signal, Telegram or WhatsApp, before pushing fake links designed to harvest their login information.
Phishing attacks are characterized by the use of tools such as GCollection (aka LCollection or YCollection) and DWP to harvest credentials from Google, Hotmail and Yahoo users, Google noted, highlighting the “APT42’s strong understanding of the email service providers they target.”
“Once APT42 gains access to an account, they often add additional login mechanisms, including changing recovery email addresses and using features that allow applications that don’t support multi-factor authentication, such as application-specific passwords in Gmail and third-party app passwords in Yahoo“, he added.
#OpenAI #thwarts #cybercrime #attack #Iran
