The Indian Computer Emergency Response Team (CERT-In) has issued a high-severity advisory to Indian micro, small, and medium enterprises (MSMEs) regarding cybersecurity risks posed by advanced artificial intelligence systems, including Anthropic's Mythos and similar frontier models. In an advisory titled 'Defending Against Frontier AI-Driven Cyber Risks,' the cybersecurity watchdog stated that emerging AI models can now identify software vulnerabilities, automate reconnaissance, generate phishing content, and execute multi-stage cyberattacks at speeds that previously required teams of skilled experts.
Risks Identified by CERT-In
According to the advisory, frontier AI models are increasingly capable of carrying out complex cyber operations with minimal human intervention. These systems can perform large-scale software analysis to find known and zero-day vulnerabilities, develop exploits faster for newly disclosed bugs, automatically discover internet-exposed infrastructure, harvest credentials through AI-powered phishing campaigns, plan multi-stage attacks, and accelerate exploitation workflows. The agency warned that while such tools can be used for defensive cybersecurity, they may also be misused by threat actors. 'It is likely that AI systems with such advanced cyber capabilities will continue to emerge and mature in the near future,' the advisory noted. CERT-In added that the dual-use nature of these tools could help attackers automate exploitation campaigns and scale attacks.
Risks for MSMEs
The agency highlighted that MSMEs remain particularly vulnerable due to limited cybersecurity budgets and smaller security teams. Businesses may face unauthorized access, data theft, service disruptions, financial fraud, identity compromise, impersonation attacks, and persistent malware infections. The advisory also warned about risks to interconnected systems and supply chains.
Recommendations for Businesses
CERT-In recommended stronger monitoring and faster responses to emerging vulnerabilities. Organizations are advised to increase system monitoring frequency, review logs more often, reduce internet-facing attack surfaces, disable unnecessary ports and services, enable DDoS protection, monitor unusual access activity, and use AI-powered defensive security tools. The agency also stated that companies should treat newly disclosed vulnerabilities with urgency. 'Treat every newly disclosed critical vulnerability in widely deployed software as something that could be exploited within hours, not weeks,' the advisory added.
Zero Trust Security Model
The advisory urged organizations to adopt Zero Trust Network Architecture, which includes multi-factor authentication, least privilege access controls, hardware-based identity verification, network segmentation, and restricting production systems from public internet exposure. The agency also warned businesses to review older VPN systems, which are often targeted by attackers.
Importance of Faster Patching
CERT-In emphasized reducing patch deployment timelines. Companies should apply critical patches within 24 hours where possible, automate patch management, maintain updated software inventories, monitor open-source software vulnerabilities, and review third-party vendor security practices. The advisory also urged organizations to monitor cloud environments for misconfigurations. Smaller businesses should focus on cost-effective measures, such as keeping systems updated, turning on automatic updates, using managed security services, enabling multi-factor authentication, avoiding unverified AI tools, encrypting business data, filtering phishing emails, testing backup recovery processes, and monitoring suspicious network activity.
Employee Training
The agency urged MSMEs to train employees regularly. 'Conduct regular cybersecurity training to educate employees on risks of AI-generated content and scams,' the advisory noted.
Guidance for Individuals
CERT-In also warned individual users that personal devices can become targets. People are advised to use strong passwords, enable multi-factor authentication, avoid suspicious links, verify urgent financial requests, be cautious of AI-generated scams, avoid unverified downloads, and back up personal data regularly. The agency also warned users to remain alert against deepfake scams and impersonation attempts.
Why Mythos Is Drawing Attention
Mythos has recently drawn global attention after reports suggested it can identify software vulnerabilities and assist with cybersecurity testing. Several regulators and financial institutions worldwide have already begun reviewing risks associated with advanced AI cyber capabilities. CERT-In's latest advisory signals that Indian businesses, especially MSMEs, must prepare for a faster-moving cyber threat landscape as AI capabilities continue evolving.
