AI Knowledge Graphs Transform APT Threat Intelligence

Security researchers at SANS Internet Storm Center demonstrated this week how AI-powered knowledge graph generation can automatically extract structured threat intelligence from dense government advisories and security reports. The technique produces interactive visualizations that map relationships between threat actors, their targets, and attack techniques—potentially accelerating analysis that would otherwise take human analysts hours to complete.

The experiment used Robert McDermott's AIKG tool running Google's Gemma 3 language model locally on consumer hardware. By feeding CISA advisories and security research into the system, the tool generated semantic triplets (subject-predicate-object relationships) and visualized them as navigable network diagrams.

Why This Matters for Defenders

Threat intelligence teams face an overwhelming volume of unstructured text: PDF advisories from CISA, blog posts from security vendors, incident reports, and OSINT feeds. Extracting the key relationships—who targets whom, which techniques they use, what infrastructure they leverage—requires significant manual effort.

The knowledge graph approach automates this extraction. When SANS handler Russ McRee fed a May 2025 CISA advisory on Russian GRU operations into the tool, it produced a graph with 118 nodes and 486 edges across 7 distinct communities. The visualization clearly mapped how GRU Unit 26165 targets Western logistics companies supporting Ukraine aid, which techniques they employ, and what infrastructure they abuse.

We've covered GRU targeting of Western logistics and energy infrastructure extensively over the past year. These knowledge graphs could help analysts connect new campaigns to historical activity more rapidly.

APT28 Campaign Analysis

The second test case used SecurityWeek reporting on APT28 credential harvesting campaigns targeting Turkish energy researchers and European defense think tanks. The resulting graph—38 nodes, 105 edges, 4 communities—mapped how Fancy Bear impersonated Microsoft OWA portals and spoofed Sophos VPN login pages to steal credentials.

The visualization revealed relationship clusters that might take analysts time to piece together manually: APT28 targets specific personnel categories (energy researchers, defense collaborators), uses specific TTPs (credential harvesting via spoofed login pages), and focuses on geographic regions aligned with Russian intelligence priorities.

This aligns with our January coverage of APT28 campaigns across the Balkans, Middle East, and Central Asia. The knowledge graph technique could help organizations quickly determine whether new phishing activity matches known Fancy Bear patterns.

How the Tool Works

AIKG operates through four processing phases:

1. Text chunking and triple extraction: The system splits documents into overlapping segments and uses an LLM to identify entities and their relationships in subject-predicate-object format.

2. Entity standardization: The tool normalizes variations—"APT28," "Fancy Bear," "BlueDelta"—into consistent identifiers so that references to the same entity connect properly in the graph.

3. Relationship inference: Beyond explicitly stated relationships, the system discovers implicit connections through transitive reasoning and community analysis.

4. Interactive visualization: The output generates HTML files using PyVis with color-coded communities, adjustable node sizing, and filtering controls.

The entire stack runs locally. McRee used a Lenovo ThinkBook 14 G4 with an AMD Ryzen 7 processor and 40GB RAM running Ubuntu. The tool works with any OpenAI-compatible API endpoint, including Ollama, LM Studio, and vLLM.

Practical Applications

Beyond ad-hoc analysis, this technique has clear applications for security teams:

Threat modeling: Feed vendor advisories and CISA alerts into the system to build a running map of threat actor capabilities and targeting patterns relevant to your sector.

Incident response: During active investigations, quickly visualize relationships between IOCs, infrastructure, and known threat actors to accelerate attribution hypotheses.

Intelligence fusion: Combine multiple sources—government advisories, vendor reports, internal threat data—into unified graphs that reveal connections across datasets.

The open-source community has been developing similar approaches. Academic projects like CTIKG and AEKG4APT use LLMs to construct security-oriented knowledge graphs from CTI articles.

Limitations and Caveats

The technique isn't without drawbacks. The quality of extracted relationships depends heavily on the underlying language model's training data and prompt engineering. Hallucinated relationships could lead analysts astray if not validated against source material.

Processing time scales with document length and model size. McRee noted the 27-billion parameter Gemma variant produced richer graphs but required more compute time than the 12-billion parameter version.

And knowledge graphs don't replace human analysis—they augment it. The visualizations help analysts see patterns faster, but validating those patterns against ground truth still requires expertise.

For organizations drowning in threat intelligence feeds, automated knowledge graph generation offers a promising path toward making that firehose of data actually actionable. The fact that it runs on consumer hardware using open-source tools removes the cost barrier that often limits access to advanced analytical capabilities.