October 24, 2023

Happy Tuesday! Welcome back to Codebook.

  • 🎃 We're officially one week out 'til Halloween. Hope your costumes are coming together!
  • 📬 Have thoughts, feedback or scoops to share? [email protected].

Today's newsletter is 1,558 words, a 6-minute read.

1 big thing: ChatGPT-written phishing emails are already scary good

Illustration: Sarah Grillo/Axios

ChatGPT is already pretty good at writing believable phishing emails, despite efforts to limit its ability to do harm, according to new IBM research.

Why it matters: Cybersecurity officials and industry leaders have long warned that hackers could weaponize ChatGPT and similar AI tools to quickly write phishing emails that the average person would think are authentic.

  • IBM's research is some of the first to provide concrete details of how close AI-enabled tools are to perfecting phishing.

Driving the news: A team of IBM researchers released the results of an A/B testing experiment they ran with an unspecified global health care company's roughly 1,600 employees.

  • Half of the employees got a phishing email written fully by IBM's X-Force team.
  • The other half got an email written using ChatGPT.

By the numbers: 14% of employees who received the human-written phishing email fell for it and clicked on a malicious link, according to the IBM report, released Tuesday.

  • But the ChatGPT-written email was pretty close, with 11% of its targets falling for the note it wrote.

Between the lines: It took only five minutes for Stephanie "Snow" Carruthers, IBM's chief people hacker, who led the experiment, and her team to get ChatGPT to spit out the email her team ended up using.

  • Meanwhile, her team usually needs about 16 hours to write a believable phishing email, since they closely study the organization they're targeting to determine what issues employees are interested in.

What they're saying: "It makes me kind of fearful for the future," Carruthers told Axios.

  • "If this is what it's at right now, what's it going to be like in, I was going to say five years, but honestly, six months?"

How it works: ChatGPT developer OpenAI has put in safeguards that prevent the generative AI chatbot from responding to direct requests for a phishing email, malware or other malicious cyber tool.

  • However, social engineers like Carruthers have been able to work around those safeguards to develop malicious emails.
  • In this case, Carruthers and her team started by asking ChatGPT to list the primary areas of concerns for employees in the health care industry.
  • Then, the team asked ChatGPT to list the top social-engineering and marketing techniques an email should use to get engagement — as well as who the email should come from.
  • Finally, the team asked ChatGPT to craft an email based on the information it had just provided.

The intrigue: Initially, three of IBM's clients were signed up to participate in the study. But once they saw the email ChatGPT was able to write, two of the companies backed out because they feared too many of their employees would fall for it.

The big picture: Most cyberattacks start with an ordinary phishing email that delivers malware or sends users to a malicious website.

  • 84% of survey respondents said their organizations faced at least one successful phishing attack in 2022, according to Proofpoint's State of the Phish report.
  • The typical phishing email also isn't written by IBM researchers but by non-English speakers overseas who likely have a lower success rate.

Yes, but: Carruthers told Axios the ChatGPT-written email lacked the emotional intelligence needed to trick more employees.

  • "That human element is so important to social engineering," she said. "The AI one, it still kind of felt cold and robotic to me."
  • Right now, ChatGPT would likely only accelerate the work of experienced hackers, rather than providing new skills to inexperienced ones, since users still need some background knowledge to craft workable prompts.

Threat level: IBM's X-Force hasn't seen wide use of generative AI in current campaigns, according to the report.

  • But hackers are already developing and selling AI tools on underground cybercrime forums that could help expedite attacks in the near future.

2. Piecing together Okta's most recent breach

Illustration: Aïda Amer/Axios

The scope and scale of Okta's most recent breach is still coming together as new customers come forward to share details about how they were targeted.

Why it matters: Okta — which provides single sign-on and multifactor authentication tools — has taken a serious financial hit since it disclosed Friday that hackers had stolen some of its support case management system files.

  • The company has lost more than $2 billion in market cap since the disclosure, per CNBC.

Driving the news: Okta unveiled right before the weekend that a hacker had used a stolen password to access the company's support case management system.

  • Journalist Brian Krebs first reported the news. An Okta spokesperson told Axios the incident has resulted in "minimal" customer impact.

The big picture: This is just the latest breach in a running list of recent incidents specifically targeting Okta customers.

  • Last month, the hackers who targeted MGM Resorts and Caesars Entertainment also attacked three other Okta customers, the company told Reuters.
  • Hackers also attacked a third-party vendor in January 2022 to gain access to Okta's network, ultimately accessing information about more than 360 customers.

Between the lines: Okta counts several major companies as customers — including FedEx, T-Mobile and OpenAI — making the company a prime target for intruders looking to break into these systems.

  • During an interview before the most recent incident's disclosure, Okta CEO Todd McKinnon told Axios that the company already has strict internal cybersecurity protocols.
  • "Our bar is as high as it can be," he said.

Details: So far, three companies have identified themselves as targets of the latest cybersecurity incident.

  • BeyondTrust, another identity management company, said in a post Friday that it first alerted Okta to suspicious activity targeting an Okta administrator on Oct. 2.
  • Cloudflare released a post Friday detailing how it thwarted an attacker who had tried hijacking its Okta instance.
  • 1Password said Monday that it first detected malicious activity tied to the Okta incident on Sept. 29, but the company said it was able to stop the attack.

The intrigue: Hackers collected customers' HTTP archive, or HAR files, which Okta's support team uses to replicate customers' problems when they call with a technical problem.

  • These files include authentication cookies and session tokens, which allow hackers to impersonate users on a legitimate network.

Yes, but: Okta is still investigating who was behind the attack and how they broke in.

3. Five Eyes step up China espionage warnings

Illustration: Annelise Capossela/Axios

The U.S. and its intelligence allies are attempting to raise public awareness of China's increasing espionage campaigns.

Driving the news: The Five Eyes alliance — which includes Australia, Canada, New Zealand, the U.K. and the U.S. — appeared in its first-ever joint interview Sunday on CBS' "60 Minutes" to warn of an unprecedented increase in Chinese espionage.

  • During the interview, FBI director Christopher Wray warned that China has the "biggest hacking program in the world" and that this espionage is a "threat to our way of life."

Why it matters: The "60 Minutes" interview capped off the Five Eyes' tour of Silicon Valley last week, where officials raised additional alarm about the threat Chinese espionage poses to democracy.

  • The "60 Minutes" appearance is the strongest signal yet to the general public by Western intelligence officials of how worried they have become about the Chinese government.

The big picture: Many of the warnings that Five Eyes leaders mentioned during their recent public appearances aren't new.

Between the lines: While all countries conduct espionage, the Five Eyes members argued in the interview that China has taken it a step further by stealing companies' intellectual property, academic research and more.

  • This has put a big target on Western technology companies — especially those developing artificial intelligence, quantum and robotics technologies.

What they're saying: "I would say that if you are operating at the cutting edge of tech in this decade, you may not be interested in geopolitics, but geopolitics is interested in you," Ken McCallum, director of the U.K.'s MI5, told CBS.

Zoom in: The warnings mirror recent ones heard from cybersecurity officials.

  • Last month, the NSA, the FBI and the Cybersecurity and Infrastructure Security Agency — alongside partners in Japan — warned that China-backed hackers had been exploiting routers and their firmware to target the government, industrial, technology, media, electronics and telecommunication sectors.

4. Catch up quick

@ D.C.

🏛 CISA is facing renewed political scrutiny from GOP congressional leaders over its work to combat election disinformation. (Politico)

💸 A new report also argues that CISA needs more than just additional funding to improve its role as the nation's cyber defender. (CyberScoop)

☎️ The Federal Communications Commission is looking at new ways to crack down on risks tied to AI-enhanced robocalls. (TechCrunch)

@ Industry

🔑 Amazon is enabling passkeys for its website and mobile e-commerce apps. (The Verge)

🦾 Microsoft has opened early access to its highly anticipated, AI-enabled Security Copilot tool, which is embedded in the Defender XDR platform. (The Register)

@ Hackers and hacks

🛠 Cisco has released patches to fix two recently discovered zero-day vulnerabilities in its Cisco IOS XE Software. (Cisco)

🗳️ The D.C. Board of Elections has warned that hackers may have accessed its full voter roll during a recent breach of a third-party database server. (BleepingComputer)

🎯 Hackers are increasingly targeting the websites of Israeli and Palestinian humanitarian groups as they try to provide relief amid the ongoing war. (Wall Street Journal)

5. 1 fun thing

Screenshot: @a_greenberg/X

Brb, I'm being sucked into this Wired story depicting a startup's quest to unlock an encrypted USB that's storing close to $235 million worth of cryptocurrency. 💰🪙

☀️ See y'all Friday!

Thanks to Scott Rosenberg and Megan Morrone for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.