Google’s Threat Intelligence Group reported Monday the first observed instance of a hacking group deploying an AI-generated zero-day exploit, which it says was built to bypass multifactor authentication systems.
Zero-day exploits have been a key concern for security researchers, given the potential for advanced AI models to identify hundreds of them at a much faster pace than human experts. The recent limited releases of cybersecurity models by Anthropic and OpenAI, alongside industry buzz about their potential, have increased fears that AI could be used by cybercriminals and adversarial countries.
Google did not disclose the hacking group responsible, nor the AI model used. In a follow-up comment to Bloomberg, it said it did not believe the exploit was created by Mythos or Google Gemini. Google has not launched its own advanced cyber model.
Mythos and the future of cybersecurity
Anthropic stoked fears in the cybersecurity world last month with the limited launch of Mythos, following several weeks of warnings from the company about AI’s potential impact on security. Around 40 organizations received limited access to the model, including public bodies, infrastructure providers, and financial institutions.
From early tests of Mythos, it appears Anthropic was right to limit its release. Several of the 40 organizations have come forward to warn about Mythos’ cybersecurity capabilities, while others have used the AI model to test their internal defenses and patch vulnerabilities it found.
Mozilla said it had patched 271 vulnerabilities identified by Mythos, highlighting the model’s ability to quickly spot bugs and provide fixes.
The value of these AI models has also been highlighted by the Trump Administration’s reversal on Anthropic. It had banned the use of Anthropic tools by state departments, while the Department of Defense signed agreements with most of its rivals after designating the company a supply-chain risk.
The launch of Mythos prompted several departments to seek access, including the National Security Agency, which has reportedly been using it to shore up its defenses.
Bug hunting and security patching have never been as prominent as they are right now. Microsoft recently pushed out its second-largest monthly security update in its history, fixing 160 bugs, including two zero-day vulnerabilities. With Anthropic Mythos and other AI cyber tools, these companies may be on the front foot, but it is only a matter of time before the technology spreads to more bad actors.
Mythos is only one of several AI models that hackers could use to build zero-day exploits. Its main rival, OpenAI, has been more lenient over who can access its cyber model, even calling Anthropic’s restricted access “fear-based marketing” before making its own cyber model limited access.
Anthropic has warned that Chinese AI model makers are about 12 months behind the US leading edge, and that they could have tools of similar sophistication by 2027.
Also read: Google’s April AI announcements covered Gemini agents, workplace automation, and defense-related AI updates.