Researchers at Google Cloud believe the AI threat will worsen in 2025 despite not having had the catastrophic impact some analysts initially predicted.
In its Cybersecurity Forecasts 2025, the tech giant anticipates that successful malicious use of AI observed in 2024 will continue and new sophisticated uses will emerge.
Malicious actors will continue to use AI and large language models (LLMs) to develop and scale sophisticated social engineering schemes including phishing campaigns.
Google Cloud analysts also forecast that cyber espionage actors and cybercriminals will continue to leverage deepfakes for identity theft, fraud, and bypassing know-your-customer (KYC) security requirements.
During the report launch event in London, attended by Infosecurity on November 12, Stuart McKenzie, Managing Director of Mandiant Consulting EMEA at Google Cloud, said, “AI will play a massive part of overall cyber threats in 2025.”
From Malicious AI Prototypes to Large-Scale AI Adoption
In addition to the malicious use of AI already observed, the authors of the report believe that in 2025 some anticipated misuses of AI that have not materialized to date could do so.
Jamie Collier, Lead Threat Intelligence Advisor for Europe at Google Cloud, said using LLMs for malware development and malicious open source LLMs is still anecdotal, but will likely take off next year.
He also expects more AI experiments to supercharge malicious actors’ capabilities, including vulnerability research, code development and reconnaissance.
"2025 is the year when AI moves from pilots and prototypes into large-scale adoption."Phil Venables, VP of Threat Intelligence Security & CISO, Google Cloud
Finally, the analysts anticipate large-scale use of generative AI, including generative adversarial networks (GANs), LLMs and deepfake technologies to power information operations, including information manipulation on social media, astroturfing and global disinformation campaigns.
Phil Venables, VP of Threat Intelligence Security and CISO at Google Cloud, concluded on AI: “2025 is the year when AI moves from pilots and prototypes into large-scale adoption.”
Expected Cyber Threat Activity from the Big Four
Russia: Shift to the Ukrainian Front Line
In 2025, Google Cloud expects the Ukraine conflict to remain primarily focused on Russian cyber espionage.
Collier said Google Cloud had seen Russian hacking groups moving away from targeting civilians in Ukraine and Europe – with wiper malware, for instance. Most of these groups’ current main targets are now on the front line.
“Most Russian threat actors, including those linked to FSB [Russia’s federal security service] and GRU [Russia’s military intelligence service], now have a direct focus on the Ukrainian front lines. They target critical military infrastructure on the front line, including GPS systems and mobile devices.”
One example is APT44, which has recently shown its capacity to extract data from dead Ukrainian soldiers’ phones while they’re still connected.
Collier added that only groups associated with Russia’s foreign intelligence service (SVR) will probably continue targeting entities outside the front lines.
North Korea: IT Workers Going Global
North Korean hacking groups’ most notable recent strategy is to try to get recruited as IT workers by Western organizations, especially tech companies.
“Although the story of the North Korean IT workers applying to be hired by Western companies sounds a little far-fetched, half of the tech companies I talked to have experienced it,” McKenzie said.
This trend is likely to continue and even expand in 2025, said the report.
“Although it started in the US, we have recently seen them expand to Europe, partly because of indictments from the US Department of Justice (DoJ),” said Collier.
He added that Google Cloud is also seeing an increasing overlap between North Koreans using this tactic to earn money for the Pyongyang regime as well as those doing it for cyber espionage purposes.
“This overlap will likely continue because many of those North Korean cyber espionage groups must at least generate revenue to keep running their own operations,” Collier added.
China: More of the Same Stealthy Tactics
Google Cloud anticipates that institutional investments China has made in its cyber threat operators over the last decade will continue to fuel the volume of threat activity and capability development in 2025.
This includes pre-positioning campaigns targeting internet-exposed attack surfaces, such as end-of-life devices, compromising operational relay box (ORB) networks to obscure operator traffic to and from the target environment, and exploiting zero-day vulnerabilities.
“By using these stealthy tactics, Chinese malicious actors are depriving defenders of the traditional detection opportunities they usually have,” Collier explained.
The Google Cloud analysts also expect Chinese hackers to continue to deploy custom malware, enabling them to achieve stealthy backdoor access into environments, such as trojanizing legitimate services to listen for attacker connections.
Iran: Israel-Hamas Conflict Drives Cyber Threat Activity
Google expects that the Israel-Hamas conflict will likely continue to dominate Iranian state-sponsored cyber threat activity.
“However, this focus will not prevent Iranian threat actors from continuing operations consistent with long-term patterns, including targeting government and telecommunications organizations across the Middle East and North Africa, or dabbling in cybercrime,” the Google Cloud report said.
Other Cyber Threat Forecasts
Other projections in Google Cloud’s Cybersecurity Forecast 2025 included:
- Post US Election activity, including state-sponsored espionage campaigns targeting the new US Government
- Supply chain attacks moving away from targeting big brand common software providers, such as SolarWinds or Ivanti, to favor globally-adopted open source libraries and frameworks
- Surge in stolen credentials and infostealer malware
- Rise in crypto heists and increased targeting of web3 service vulnerabilities (e.g. smart contract exploits, private key theft)
- Rising impact of compromised identities in hybrid environments