Using Artificial Intelligence to Find and Use Software Vulnerabilities

May 11, 2026, 18:11
ChinaTechnology

Introduction

Google's Threat Intelligence Group (GTIG) has reported the stop of a large cyber attack. This operation used large language models (AI) to find and exploit a software vulnerability that was previously unknown.

Main Body

The attack targeted a web-based tool for system administration. The attackers used a logic error in the software to bypass two-factor authentication. GTIG discovered that AI was used because the Python scripts contained 'hallucinated' security scores and a textbook style, which are common in AI training data. Although the exact model is unknown, Google stated that its Gemini model was likely not used. Furthermore, this incident shows that criminal groups and state-linked actors from China, North Korea, and Russia are increasingly using commercial AI tools to make their attacks faster and larger. Because of these developments, companies are changing their security strategies. For example, Anthropic limited the release of its 'Mythos' model because it could find vulnerabilities in major operating systems and browsers. Consequently, they started Project Glasswing to coordinate security between tech and financial companies. Similarly, OpenAI has created a special cybersecurity version of its model, but it is only available to approved security professionals. Regarding government policy, the United States has had a changing approach to AI oversight. The Commerce Department recently made agreements with Google, Microsoft, and xAI to test powerful models before they are released to the public. However, the public records of these deals were later removed. Experts emphasize that while AI might eventually help make old software more secure, there is currently a period of high risk because AI can find flaws faster than humans can fix them.

Conclusion

The current situation is a race between AI-driven attacks and the development of organized defenses by major institutions.

Learning

⚑ The 'Logic' of Connection

At the A2 level, you likely use simple connectors like and, but, and because. To reach B2, you need to use Transition Words that show a professional relationship between ideas. These aren't just words; they are signals to your reader about how the story is moving.

πŸ” The B2 Upgrade Map

Look at how the text moves from a simple fact to a complex result. Instead of saying "And then," the author uses these:

  • "Furthermore..." β†’\rightarrow (A2 equivalent: "Also")

    • Usage: Use this when you have already given one strong point and want to add an even stronger one.
    • Example: "The AI found a bug. Furthermore, it helped the hackers move faster."

  • "Consequently..." β†’\rightarrow (A2 equivalent: "So")

    • Usage: Use this to show a direct, formal result of an action.
    • Example: "The model was too dangerous. Consequently, Anthropic limited its release."

  • "Similarly..." β†’\rightarrow (A2 equivalent: "Like this")

    • Usage: Use this to compare two different companies or people doing the same thing.
    • Example: "Anthropic limited its model. Similarly, OpenAI created a restricted version."

πŸ› οΈ Pro-Tip: The Semicolon-Style Pause

Notice that these words usually start a sentence and are followed by a comma ( , ). This creates a rhythmic pause that makes your English sound more academic and less like a list of random facts.

A2 Style: I like AI but it is dangerous so I am careful. B2 Style: I appreciate the utility of AI; however, it possesses inherent dangers. Consequently, I exercise caution.

πŸ’‘ Vocabulary Pivot: From 'Change' to 'Developments'

Instead of saying "things are changing," the text uses "Because of these developments...".

  • Development (in this context) = a new event or situation that changes the current state.
  • Try this: Next time you describe a trend, don't say "The change is...", say "Due to these developments..."

Vocabulary Learning

vulnerability (n.)
A weakness or flaw that can be exploited to gain unauthorized access or cause damage.
Example:The software had a vulnerability that allowed attackers to gain unauthorized access.
authentication (n.)
The process of verifying a user's identity before granting access to a system.
Example:Two-factor authentication adds an extra layer of security.
bypass (v.)
To avoid or get around a security measure or rule.
Example:The hackers used a logic error to bypass the authentication system.
incident (n.)
An event, especially one that causes concern or requires attention.
Example:The incident highlighted the need for better monitoring.
commercial (adj.)
Relating to business or trade, especially for profit.
Example:Commercial AI tools are increasingly used by cybercriminals.
strategy (n.)
A plan or method for achieving a goal or solving a problem.
Example:Companies are updating their security strategies to counter new threats.
release (v.)
To make a product or information available to the public.
Example:The model was not released to the public until after testing.
coordinate (v.)
To organize or arrange efforts so that they work together effectively.
Example:Project Glasswing coordinates security efforts between tech and financial companies.
oversight (n.)
Supervision or monitoring to ensure compliance or proper conduct.
Example:The government is increasing oversight of AI development.
agreement (n.)
A negotiated arrangement between parties that outlines mutual commitments.
Example:The Commerce Department signed agreements with major tech firms.
public (adj.)
Open to everyone; not restricted to a particular group.
Example:The public records of the deals were later removed.
emphasize (v.)
To give special importance or attention to something.
Example:Experts emphasize the high risk of AI-driven attacks.
risk (n.)
The possibility of danger, loss, or harm.
Example:There is a high risk that AI will find flaws faster than humans can fix them.
flaw (n.)
A mistake, defect, or weakness in a system or object.
Example:The AI discovered a critical flaw in the operating system.
institution (n.)
An established organization, especially one that has a public or official role.
Example:Major institutions are developing organized defenses against AI attacks.