{"slug": "ai-once-relegated-to-helping-hackers-with-certain-tasks-can-now-power-every-of-a", "title": "AI, once relegated to helping hackers with certain tasks, can now power every stage of a cyberattack", "summary": "AI is now being used at every stage of cyberattacks, from identifying targets to stealing data, according to new research from cybersecurity firm Check Point. Hackers are using both U.S. and Chinese AI models to generate commands, test vulnerabilities, and move through victim networks with less human oversight than before. The shift marks a move from AI as an occasional aid to a primary operator in offensive cyber operations.", "body_md": "# AI, once relegated to helping hackers with certain tasks, can now power every stage of a cyberattack\n\n## Researchers determined that AI was used in steps across entire cyber operations to identify security flaws, generate commands and carry out parts of intrusions, sometimes with little human oversight. Both U.S. and Chinese AI models have been involved.\n\nJust two years ago, hackers were [tapping into generative artificial intelligence](https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/) to probe targets, translate technical material and troubleshoot malicious code. The technology sped up some key parts of a cyber operation, but other stages remained solely in human hands.\n\nThat line is now beginning to blur. In a range of cyberattacks observed over the past year, AI systems generated commands, tested vulnerabilities and helped hackers move through victim networks, sometimes carrying out thousands of commands with less human direction than researchers had previously seen, according to [research](https://engage.checkpoint.com/ai-security-report-2026) released Monday night by cybersecurity firm Check Point.\n\nIt means AI has now been used in some form at every stage of a cyberattack, from identifying targets to exploiting vulnerabilities to stealing data, to help hackers achieve their goals.\n\nThe shift does not yet amount to fully autonomous hacking, a top company executive told *Nextgov/FCW*, but it shows that AI is moving from an occasional aid to an extra set of hands throughout the entirety of an intrusion process. The findings also highlight how rapidly the global cyber ecosystem has adopted AI, with the technology now embedded across every part of an offensive operation rather than confined to isolated tasks.\n\n“We watched criminal groups breach government agencies at scale, using AI as the primary operator rather than a background assistant,” the Check Point report says. In most cases, the AI model’s role was revealed by the attacker’s own mistakes or [monitoring](https://www.nextgov.com/cybersecurity/2024/02/microsoft-and-openai-swept-ai-chat-logs-find-hackers-expect-become-norm/394205/) by the AI provider, rather than tools or safeguards deployed by the victim organization.\n\nFor these AI-enabled pursuits, hackers have used open-source models and purpose-built malicious AI tools [sold on the dark web](https://www.infosecurity-magazine.com/news/dark-web-mentions-malicious-ai/), but major commercial providers remain their primary choice, company threat intelligence lead Sergey Shykevich said in an interview.\n\nThe research points to the [Gentlemen ransomware group](https://unit42.paloaltonetworks.com/the-gentlemen-ransomware/) as one instance of how AI is being folded into routine criminal operations. Members compared mainstream commercial models based largely on which imposed the fewest restrictions and used AI to help build internal tools, including a management platform developed in three days.\n\nThe findings also highlight VoidLink — a sophisticated toolkit for remotely controlling infected computers — that researchers initially believed had taken a team several months to build. Check Point later found that a single developer produced roughly 88,000 lines of working code in under a week using a commercial AI coding tool.\n\nHackers tend to first choose U.S. AI models like ChatGPT or Claude because their responses are generally considered higher-quality, but they have a tougher time exploiting those families of models because of stronger guardrails designed to prevent malicious use of the tools, Shykevich said. When those attempts fail, they then pivot to Chinese-made AI platforms that have lower guardrails.\n\n“They are trying to jailbreak those [Western] models, but when they are not successful, they just go to DeepSeek, Qwen and Trae,” he said, referring to a trio of AI models and platforms originating in China. Qwen is a suite of AI and large language models developed by Alibaba, while Trae is an AI-backed code editor and programming platform built by ByteDance. Ransomware gangs have been heavily leaning on those Chinese models to help generate code for their exploits, he noted.\n\nChinese AI models have recently grown more capable and widely used for coding tasks. Beijing has discussed [restricting overseas access](https://www.reuters.com/world/beijing-is-looking-curbing-overseas-access-chinas-top-ai-models-sources-say-2026-07-07/) to some advanced models, underscoring their growing national security value and their appeal to cybercriminals seeking tools to help with their exploits.\n\nWhen asked how these new dynamics involve targeting U.S. government and critical infrastructure organizations, Shykevich said there are certainly higher and faster levels of exploitation attempts, though he assessed that’s due to a combination of AI-enabled speed and geopolitical tensions.\n\nHe said that, in an ideal world, security flaws should now be patched within several hours of discovery, though he immediately acknowledged that would be next to impossible. The Cybersecurity and Infrastructure Security Agency recently [revamped](https://www.nextgov.com/cybersecurity/2026/06/cisa-directive-revamps-how-agencies-prioritize-vulnerable-systems/414096/) its remediation timeline guidance, ranging from three days for the highest-risk flaws to 60 days for lower-priority issues.\n\nThe move is part of CISA’s response “to the current threat landscape where AI software services can assist threat actors to find and exploit vulnerabilities,” the agency said last month.\n\nThe findings come as the latest tranche of frontier AI models is showing sharp gains in their ability to perform cybersecurity tasks. OpenAI last week [released](https://www.nextgov.com/artificial-intelligence/2026/07/openais-advanced-gpt-56-models-be-available-public/414651/) GPT-5.6, which it called its strongest cybersecurity model yet, reporting substantial gains over its predecessor on benchmarks testing exploit development and proof-of-concept generation.\n\nThe Trump administration, meanwhile, has given the National Security Agency, CISA and other federal officials until Aug. 1 to develop a classified process for benchmarking the advanced cyber capabilities of frontier AI models and determining which systems need additional government scrutiny.\n\n“The most significant shift this report documents is not a new technique. It is pace,” the Check Point report says. “A vulnerability now becomes a working exploit within hours of disclosure. Phishing campaigns run at a quality and volume no human team could match. Intrusions span dozens of targets simultaneously, with AI handling the operational work between check-ins. Security teams working at human speed cannot match that cadence.”", "url": "https://wpnews.pro/news/ai-once-relegated-to-helping-hackers-with-certain-tasks-can-now-power-every-of-a", "canonical_source": "https://www.nextgov.com/cybersecurity/2026/07/ai-once-relegated-helping-hackers-certain-tasks-can-now-power-every-stage-cyberattack/414744/", "published_at": "2026-07-14 01:00:00+00:00", "updated_at": "2026-07-14 01:22:09.566908+00:00", "lang": "en", "topics": ["artificial-intelligence", "ai-safety", "ai-policy", "ai-tools"], "entities": ["Check Point", "Sergey Shykevich", "ChatGPT", "Claude", "DeepSeek", "Qwen", "Trae", "VoidLink"], "alternates": {"html": "https://wpnews.pro/news/ai-once-relegated-to-helping-hackers-with-certain-tasks-can-now-power-every-of-a", "markdown": "https://wpnews.pro/news/ai-once-relegated-to-helping-hackers-with-certain-tasks-can-now-power-every-of-a.md", "text": "https://wpnews.pro/news/ai-once-relegated-to-helping-hackers-with-certain-tasks-can-now-power-every-of-a.txt", "jsonld": "https://wpnews.pro/news/ai-once-relegated-to-helping-hackers-with-certain-tasks-can-now-power-every-of-a.jsonld"}}