Cert-In warns MSMEs about Anthropic's Mythos and other AI models that can drive cybercrime risks

CERT-In has issued a high-severity advisory to Indian MSMEs on cybersecurity risks posed by advanced AI systems, such as Anthropic’s Mythos and similar frontier models. In a recent advisory titled “Defending Against Frontier AI-Driven Cyber Risks”, the Indian cybersecurity watchdog said emerging AI models are now capable of identifying software vulnerabilities, automating reconnaissance, generating phishing content and executing multi-stage cyberattacks at a speed that previously required teams of skilled experts. CERT-In warned that these capabilities could lower the barrier to entry for cybercriminals and increase the risks for businesses with weak security systems.According to the advisory, frontier AI models are increasingly capable of carrying out complex cyber operations with minimal human intervention. Cert-In said these systems can perform:The agency warned that such tools can be used for defensive cybersecurity tasks but may also be misused by threat actors.“It is likely that AI systems with such advanced cyber capabilities will continue to emerge and mature in near future,” the advisory notedCERT-In added that the dual-use nature of these tools could help attackers automate exploitation campaigns and scale attacks.

What risks do MSMEs face

The agency said MSMEs remain particularly vulnerable because of limited cybersecurity budgets and smaller security teams. According to CERT-In, businesses may face:The advisory also warned about risks to interconnected systems and supply chains.For businesses, CERT-In recommended stronger monitoring and faster responses to emerging vulnerabilities. The agency advised organisations to:CERT-In also said companies should treat newly disclosed vulnerabilities with urgency.“Treat every newly disclosed critical vulnerability in widely deployed software as something that could be exploited within hours, not weeks,” the advisory added.The advisory also pushed organisations to adopt Zero Trust Network Architecture. CERT-In recommended:The agency also warned businesses to review older VPN systems, which are often targeted by attackers.CERT-In said businesses should significantly reduce patch deployment timelines. It advised companies to:The advisory even urged organisations to monitor cloud environments for misconfigurations. CERT-In also said that smaller businesses should focus on cost-effective security measures. Recommendations for MSMEs include:The agency also urged MSMEs to train employees regularly.“Conduct regular cybersecurity training to educate employees on risks of AI-generated content and scams,” Cert-In advisory noted.CERT-In also warned individual users that personal devices can become targets. It advised people to:The agency also warned users to remain alert against deepfake scams and impersonation attempts.Mythos has recently drawn global attention after reports suggested that the AI model can identify software vulnerabilities and assist with cybersecurity testing.Several regulators and financial institutions worldwide have already begun reviewing risks associated with advanced AI cyber capabilities.CERT-In’s latest advisory signals that Indian businesses, especially MSMEs, may also need to prepare for a faster-moving cyber threat landscape as AI capabilities continue evolving.