Illustration of a human head with gears inside representing thinking and interconnected technology icons around.

Social Engineering Attacks In AI Supply Chains Expose Critical Vulnerabilities

Posted on by Brian Colwell

The AI ecosystem faces an escalating threat from sophisticated social engineering attacks, attacks which exploit both human psychology and technical vulnerabilities by targeting the collaborative nature of AI development, where trust relationships and open-source principles create unique attack surfaces that traditional cybersecurity approaches fail to address.

Malicious Models Infiltrate Trusted Platforms

Major AI platforms have become prime targets for social engineering attacks.

Recent research revealed multi-year infiltration campaigns by state actors, novel attack techniques that bypass existing security measures, and approximately 100 malicious PyTorch and TensorFlow models on Hugging Face alone – with some achieving “No issue” safety ratings despite containing harmful payloads. The “baller423” case exemplifies this threat – a PyTorch model that established reverse shell connections to a Korean research network IP address while appearing legitimate to platform security scanners (Security Boulevard, Darkreading, Riskledger, JFrogDarkreading, Cybersecurity Dive).

The scale extends beyond individual models. In November 2023, Lasso Security uncovered 1,681 exposed API tokens affecting 723 organizations including Meta, Microsoft, and Google. Of these, 655 tokens had write permissions, with 77 organizations having full repository control compromised. This breach granted attackers potential access to Meta-Llama, Bloom, and Pythia repositories with millions of downloads, enabling widespread model poisoning or theft of proprietary AI assets.

Platform vulnerabilities compound these risks. Cross-tenant attacks through shared inference infrastructure allow lateral movement between customers’ private models (SC Media). The February 2024 Safetensors conversion service vulnerability demonstrated how attackers could hijack official bot tokens to manipulate any repository – the affected bot had made over 42,000 pull requests affecting models with 16+ million downloads (Prnewswire).

Long-Term Infiltration Targets The Community

The XZ Utils backdoor campaign exemplifies the patience and sophistication of modern threat actors. “Jia Tan” spent 2.5 years building trust through legitimate contributions before deploying a backdoor affecting major Linux distributions. Openssf Coordinated sockpuppet accounts “Jigar Kumar” and “Dennis Ens” pressured the maintainer by exploiting his disclosed mental health concerns, demonstrating psychological manipulation tactics specific to open-source communities (Darkreading, Wikipedia).

Social engineering amplifies technical attacks through multi-persona impersonation campaigns. Iranian APT group TA453 uses 3-4 fake personas simultaneously in email threads, exploiting psychological principles of social proof. These personas impersonate real researchers and institution directors, using OneDrive links with macro-laden documents followed by “password protection” messages for added legitimacy (Google Cloud).

Further, state-sponsored APT groups systematically target AI research. Chinese groups like APT40 focus on maritime AI research, while APT41 breached Taiwanese government AI facilities starting mid-2023. Russian APT29 targets NATO research institutes, recently using Microsoft Teams for credential theft. Iranian APT42 heavily leverages AI tools like Gemini for crafting phishing campaigns against academics. These groups maintain average dwell times of one year, with some campaigns lasting up to five years before detection (Socradar, Google Cloud, The Hacker News, Wikipedia).

Academic culture definitely creates unique vulnerabilities: threat actors time attacks to coincide with major conference submission deadlines (NeurIPS, ICML, ICLR) when researchers face pressure and may overlook security. They impersonate funding organizations like NSF, DARPA, and the European Research Council with false grant opportunities. The collaborative nature of academia – prioritizing open access and international partnerships – provides cover for intelligence gathering operations.

The University of Zurich’s unauthorized Reddit experiment demonstrates how researchers themselves can become threat actors. Over 4 months, they deployed AI bots with fabricated personas including sexual assault survivors and trauma counselors, posting 1,700+ comments that were 6x more persuasive than human responses. The experiment violated platform rules and user consent, leading to legal action and ethics review (ZME Science, NBC News).

The intersection with AI capabilities creates novel threats. Voice cloning now requires only 3 seconds of audio, enabling real-time impersonation during video calls, and deepfake technology allows creation of complete fake researcher identities with fabricated publication histories (World Economic Forum,  ScienceDirect). And, recently, Anthropic documented over 100 AI-orchestrated fake personas systematically engaging tens of thousands of authentic accounts across social platforms (The Hacker News).

Final Thoughts

The convergence of social engineering and AI vulnerabilities creates a new threat paradigm requiring fundamental changes to AI development practices. Trust-based collaboration models that enabled rapid AI advancement now pose existential risks to system integrity, and the global nature of AI research complicates attribution and response to state-sponsored attacks.

Organizations must recognize that AI supply chain security extends beyond technical controls to encompass human factors, collaborative processes, and trust relationships. The stakes continue rising as AI systems assume critical roles in infrastructure, healthcare, finance, and defense, and a single compromised model or poisoned dataset can cascade through thousands of downstream applications.

Thanks for reading!