Fabio Fratucello, CrowdStrike's global field chief technology officer (CTO), said, "The cyberattacks that have been rampant recently existed 25 years ago, but with the advent of Generative AI, the number of hacker attempts has surged and the speed at which defenses are breached has increased exponentially." He explained that hackers are weaponizing AI to automate malware development, vulnerability analysis, and account takeover, enabling faster and broader attacks.
CrowdStrike is a cybersecurity corporation listed on the Nasdaq in the United States. Based on security technologies specializing in cloud, endpoint detection, and identity (ID) security, it has grown rapidly since its founding in 2011. Last year's revenue was $3.06 billion (about 4.4 trillion won), up about 36% from the previous year. It counts more than half of the Fortune 500, including JPMorgan, Bank of America (BoA), Amazon, and Nvidia, as clients.
In a recent interview with ChosunBiz, CTO Fratucello said, "As hackers accelerate their attack cycles, the defensive burden on corporations and institutions is growing," and added, "Corporations must proactively build an integrated, AI-centric defense system to counter this."
He cited "Scattered Spider," a cybercrime group that inflicted massive damage on global corporations such as Jaguar Land Rover and Marks & Spencer with successive ransomware attacks, as an example of hackers effectively weaponizing AI. CTO Fratucello said, "This group completed a ransomware attack in just 24 hours recently, and given that the same attack took about three days a year ago, the speed has become astonishingly fast." Scattered Spider accessed corporate systems using an account stolen in just two minutes, then changed multi-factor authentication (MFA) settings to disable notification functions for the responsible staff. "In the past, these attacks unfolded over several days to weeks," he said. "But as hackers weaponize AI, they can now carry out the same attacks in as little as two hours."
CTO Fratucello broadly categorized threat actors into three groups: nation-state hacker groups that work for the interests of specific countries or regimes; e-crime, corporate-style cybercriminals motivated by profit; and hacktivists, groups that conduct attacks for ideological reasons. He noted in particular that nation-state hackers from China and North Korea, and profit-seeking cybercrime organizations, are abusing AI in various ways to raise their success rates.
Notably, the North Korean hacker group "Famous Chollima" infiltrated more than 320 large corporations in North America, Western Europe, and East Asia last year alone by posing as software developers to get hired. The success rate of these disguised hires increased 220% from the previous year. CTO Fratucello explained, "Chollima used AI tools to create fake LinkedIn profiles and resumes to get hired by numerous companies," adding, "They also altered voice and video during online interviews using deepfake technology, and generated answers by analyzing interview questions in real time with AI."
In a recently published Threat Analysis Report, CrowdStrike mentioned Chollima, analyzing that "it was one of the most active hacker groups last year, far outpacing the operational tempo of other state-linked actors."
CTO Fratucello assessed that North Korean hackers' disguised employment is distinct from other state-linked groups in that it is more financially motivated than espionage. "China- or Russia-linked hackers often infiltrate corporations or organizations and then lie low for long periods to collect information or manipulate public opinion in other countries," he said. "By contrast, North Korea, under international sanctions, also engages in espionage through disguised employment, but the motivation to earn foreign currency is very strong."
He predicted that as AI tools continue to advance, attacks targeting AI models and AI-based infrastructure will increase significantly within the next two to three years. "We expect to see hacks that corrupt AI model parameters or training data to cause malfunctions, or induce the exposure of sensitive data or system information that should remain private."
He also expected attacks targeting cloud infrastructure to continue to rise. Last year, hackers' cloud intrusion attacks increased 136% from the previous year, with 40% led by China-linked actors. "Most of corporations' key data is now stored in the cloud, and AI models are also operated in the cloud, making it a constant target for attackers," he said. "In particular, attempts by China-linked hacker groups to penetrate the cloud are likely to keep increasing."
Korean corporations and government agencies have also suffered a series of hacking attacks since the start of the year, leading to personal data leaks and other damage. On Apr. 2300, SK Telecom saw the data of 23 million customers leaked; KT had base stations and servers hacked; and YES24 Corp., Seoul Guarantee Insurance Company, and Welcome Financial Group suffered ransomware attacks in succession, triggering a string of major hacking incidents. More recently, LG Uplus reported signs of server hacking to the government, revealing that all three telecom companies were breached by cyberattacks this year.
CTO Fratucello advised Korean corporations to craft security strategies with geographic proximity to North Korea and China in mind. Because attackers can range from nation-state actors to corporate-style groups and individuals motivated by money, he said corporations should first identify their threat profiles by industry to determine which attackers are likely to target them, and then adopt appropriate solutions. "Korean corporations I met recently were particularly concerned about cross-domain attacks in which multiple domains—cloud, endpoint, and on-premises identity—are attacked simultaneously, and an integrated security framework is needed to counter them," he said.
He emphasized that since identity (ID) has become the first line of defense for corporate security, Korean corporations should increase related investments. "If an insider's account information or credentials are stolen, attackers do not need to break into the system; they can simply log in and plant malware," he said. "Detection and response (DR) also become more difficult once attackers infiltrate a system after stealing identity."
CrowdStrike said it is strengthening AI DR (detection and response) technologies to counter increasingly sophisticated AI-based cyberattacks. As part of that effort, it acquired AI security corporation Pangea in Sept. for $260 million. Pangea has security technologies that can counter "prompt injection attacks" targeting Generative AI.
"AI is a double-edged sword that can be an offensive tool or a powerful means of defense depending on how it is used," he said. "CrowdStrike will pioneer a new security technology domain called AI DR and will continue mergers and acquisitions (M&A) to improve security architecture."