Influence Operations with AI and Cyber-Enabled Ops
Key Takeaways
The SANS AI Cybersecurity Summit 2025 presentation explores the strategy behind influence operations conducted by state-sponsored actors, leveraging AI to weaponize their campaigns, and discusses the use of LLMs, AI tools, and cyber-enabled operations in disinformation campaigns. The presentation highlights the importance of understanding influence operations, AI alignment, and AI security in preventing conflict and strengthening legitimacy.
Full Transcript
Thank you very much. Um, so first off, um, so I just grew a beard just to look different than, uh, Rob. So I think we're the only one here don't have hair, uh, hair. So I think, uh, yeah, that's it. Rob myself. All right. So a little bit about myself. Sorry, this is my um, first speak at SANS, so I'm a little bit nervous. So I've been doing reverse engineer, Melbourne reverse engineer for 15 years. I've been doing threat hunting for 15 years. So one day I received an intelligence report about uh how adversaries are using uh artificial intelligence LLMs to create and deploy mal malware artifacts and also uh all type of techniques right to get into uh somebody else's network right so um I got that report and I didn't know anything about machine learning I didn't know anything about uh embeddings or LLMs so I said okay we need to catch up right we can't just work with the same people with the same tools in the in our cyber security offices, right? So, um I dived into uh LLMs. I dived into machine learning um uh models and also embeddings and I decided to come up with new ideas with new uh tools uh tools that can read uh up codes, malware uh by codes and up codes and make decision also attribution with machine learning. So, pretty interesting stuff. I highly recommend that you uh uh navigate into uh this model. So today go oh sorry so today I'm going to talk about something a little bit different. Uh we usually talk about the impact of um targeted attack on our system but today we're going to talk about the uh cognitive uh aspect of of this type of cyber operations. So today we're going to talk about influence operations with artificial intelligence and also uh cyber enabled operations. So 100% this presentation is AI generated. So I use a old model of GPT. So you can say that there's a misspelling issue there. So hopefully with the new version of chat GPT they fix all the the misspelling issues. Okay. So um a little bit of introduction influence operations have evolved from the typical uh propaganda the typical um media control to a more sophisticated strategy driven by artificial intelligence and also cyerspace operation. Um today the uh large scale data analysis and um automated bot um basically enable the creation and spread of disinformation campaigns in a highly highly personalized way uh manipulating um opinions manipulating beliefs of certain of targeted uh the target audience. So definition so basically the main goal of a influence operation is to prevent conflict uh strengthen legitimacy of their operations and also um keep the kinetic warfare keep the use of kinetic warfare as a last resort. So strategy let's go ahead and talk about strategy of any type of influence operation. So objective, you have to have an objective. Uh you need to understand what are you trying to achieve with this type of operation. So for example, I'm a pizza lover by the way. Um my objective is to come together and take actions about this watermelon pizza madness. So we need to that is my objective. So I need to build a message around that objective. A message that will support that objective. For example, the American Society of Pizza Lover stated that pineapple and tomato sauce is bad for your kidney and you're going to have kidney issues by the age of 30. Right? That's my message. So, I need to deliver that message using any type of channel. I can use um video game platform messaging apps or any other social traditional social media channel to convey that message to my primary target. Let's say my primary targets is um are YouTubers because YouTube is what the the number one uh streaming video platform. So I select my primary targets and then from my primary targets I will have them propagate my message to the secondary target that will help me amplify the message and uh extend my extend it u uh its influence. All right. So a key trends key trends that we have detected in modern influence operations targeted influence operations. So uh influence operations are becoming more precise. They're targeting uh specific individuals or group of individuals uh rather than uh a broad uh audience. Blurring lines that is the distinction between truth and deception. Uh so for example we have uh civilian influence operations, military oper influence operation continue to fade. So it makes it a little bit harder for us defender to detect and respond to this type of uh to this type of uh incident or this type of of trends. Right? Anybody can do this, right? You jump to chat GPT and create yourself a a a false statement or a false message. Okay? So there is malware as a service. There's also ransomware as a service. Why not have influence operations as a service? So this is a spe specialized group that sells uh this type of campaign, this type of operations for a price, right? This provides uh uh influence operations actors as a uh a plausible deniability. So perception hacking perception hacking is is not always about uh changing mind changing perception but this one is um basically to undermine trust uh to create confusion and undermine trust in influ information uh sources. Uh enhance OBSC enhance operational security. uh key actors uh threat actors are now using uh AI to um improve their operational security uh and that way they can prevent any type of drag attribution and platform diversification. Adversaries are now using um or moving away from traditional social media platform into uh other platforms such such as um gaming platform, video streaming and uh encrypted messaging apps. All right. So capabilities with AI you're generate uh content generation uh adversaries are now um mass-producing content video uh to shape uh narratives AI and not AI even though AI is growing is improving we still have uh thread actors that are using manual and traditional methods to uh generate content and maximize impact fake engagement. So they're using uh troll farms, uh botn nets, uh coordinated campaigns um to amplify the message and extend its influence. Um, deep fakes. I'm pretty sure everybody here has heard the term deep fakes. Is basically the uh creation AI creation of a video uh impersonating a specific individual to basically uh create a false event and to um diminish or undermine trust and productivity boost. um influ influence operations are now being produced at a a large scale are being produced faster, cheaper and um and more efficient. All right, so let's go ahead and talk about uh real world scenarios. Let's see how uh state sponsor actor are now using or leveraging AI tools to create this type of campaigns. Um for here I did two things. I use openly available or publicly available uh uh AI tools or LLM tools and also u made my own tool using um basically go ahead and talk about that tool. So basically I put together a database of um from different databases out there uh databases such as liar um gel Google fat check. I put together one database and a unified database and I use uh algorithms such as um embeddings and also random forest. I threw the data into uh the the the machine learning process and with LLM I took the data from the machine learning process and send it to LLM and LLM will give me that output. It will give me the um uh this information probability and also the explanability of the uh of the output. So in this case we have a Chinese uh state sponsored group with a um a campaign campaign about the Chinese um government policy. So basically we use two different techniques in this uh if you look at the image uh at the bottom left. So there is a technique AI and nonAI generated content. So the content created by the Chinese was 38% 39% around 39% uh AI generated and if you look at our tool is has a 90% probability that is part of the uh disinformation campaign. Let's go ahead and take a look at other uh state sponsor group. We have a Russian state sponsor group. Russian is highly active when it comes to uh uh propaganda and also traditional uh influence operation. And now they're moving towards um AI generated uh campaigns. So we have um uh at the top uh at the top left top right we have a uh articles about the Biden administration that was in 20123 and then down below you can see that the entire content was generated by AI. Okay. So the next one is another Russian state sponsored group. There's another article. This was last year. uh for this case it's also uh 100% AI generated and our tool um gave it a 67% that this is part of a uh disinformation uh um um campaign. Okay, last but not least um again we're using LLMs, we're using public available tools, but we are also using manual tools to analyze this type of a u of propaganda campaigns. Now let's take a look at this one right here. Hammer state sponsor group. Um so they use conventional uh cyber security operations. So they use you know the typical against this was against the IDF Israeli uh defensive forces. So they use the typical u fishing campaigns um persistence via schedule task um and they deploy wipers. So they destroy all the data but at the same time each one of the computer of the of the soldiers they deploy this video as a propaganda against the Israeli government. So when we analyze this video we did the manual analysis we look for three uh different uh data metadata here that will help us identify that this is uh a video AI generated. So the first one is empty days. That's one of the characteristics, right? If the data is empty, it could be uh produced by AI generated uh uh model, right? The compressor compressor basically a technology used by uh um um LLMs to basically um reduce the quality of the video that makes us us defender uh makes it difficult for us defender to detect and react to this type of video. And last but not least, they used encoder. encoder helps um this video looks more videos look more real more realistics. Okay. All right. So defending against IO again uh we combine uh different techniques such as uh LLMs um our own tools we also use public available tools and also manual analysis. Um so the first one is uh we need to have um a partnership with tech uh tech industry, private sector and also government sector. We need to share intelligence not only intelligence we also need to share resources and technology and last but not least again use AI uh automated detection with no nonAI investigations. Okay and that is it. So quick um key uh a key note here. Um I want you to understand that the threat landscape right now is that adversaries are using leveraging AI. So we also have to adopt that. There's no other way around. Okay. So we need to catch up. We need to compete. We need to uh fight against uh the uh this threat actors. Okay. So if you have any questions, here's are my links. I'm looking forward to connecting with you. So, if you have any questions about the tools that I use, I'll be back there and we can start a campaign against the watermelon pizza if you like. Okay.
Original Description
SANS AI Cybersecurity Summit 2025
Influence Operations with AI and Cyber-Enabled Ops
Gerardo Santos, Head of Threat Hunting, S2 Grupo
This presentation will explore the strategy behind influence operations conducted by state-sponsored actors and how they leverage AI to weaponize their campaigns.
View upcoming Summits: http://www.sans.org/u/DuS
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from SANS Institute · SANS Institute · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
SANS NetWars
SANS Institute
SANS DFIR NetWars
SANS Institute
Hack The Drone - SANS Cyber Academy UK
SANS Institute
SANS VetSuccess Immersion Academy
SANS Institute
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
The 2015 SANS Holiday Hack Challenge
SANS Institute
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
SANS VetSuccess Academy Overview
SANS Institute
SANS ICS Security Summit & Training 2017
SANS Institute
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
WannaCry recap, patches, and analysis
SANS Institute
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
SANS Data Breach Summit & Training 2017
SANS Institute
SANS Secure DevOps Summit & Training 2017
SANS Institute
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
SANS Institute
SANS Institute
ICS515: ICS Active Defense and Incident Response
SANS Institute
SANS Institute
SANS Institute
Introducing the NEW SANS Pen Test Poster
SANS Institute
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
SANS ICS Security Training, Munich, Germany
SANS Institute
SANS Automotive Summit Webcast
SANS Institute
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
SANS Security Operations Summit & Training 2018
SANS Institute
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
A Sneak Peak at the New ICS410
SANS Institute
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
Introduction to Linux
SANS Institute
Introduction to Malware Analysis
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
SANS Webcast - Zero Trust Architecture
SANS Institute
SANS STX Cyber Range
SANS Institute
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
Romania leads its first private ESA mission with CyberCUBE launch
The Next Web AI
Vietnamese Cybercrime Groups Abuse Google Services to Phish Facebook Ad Accounts
Medium · Cybersecurity
How Does a Message Find the Right Path?
Medium · Cybersecurity
Cloud-Managed Security Is Changing Charlotte’s Digital Economy — Here’s What That Actually Means”
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI