Vulnerability in AI-driven IT operations tools exposes infrastructure to manipulated telemetry attacks

Researchers have recently revealed how attackers can exploit AIOps platforms by injecting false telemetry data to trigger harmful automated IT actions.

Researchers from RSAC Labs and George Mason University have uncovered a vulnerability in AI tools used for IT operations management, showing that these so-called AIOps systems can be manipulated through poisoned telemetry, potentially compromising infrastructure integrity.

The team have detailed their findings in a preprint paper titled “When AIOps Become ‘AI Oops’: Subverting LLM-driven IT Operations via Telemetry Manipulation”.

AIOps platforms leverage conversational interfaces powered by large language models to analyze system logs, performance metrics, traces, and alerts. These agents are designed to automate detection of issues and, in some cases, suggest or execute corrective actions.

However, by injecting false analytics data — or “poisoned telemetry” — attackers can deceive these tools into performing harmful operations, such as downgrading a software package to a vulnerable version. Mounting such an attack does not require extensive effort, although success depends on the system, implementation details, and model interpretation of logs.

• Attackers begin by using a fuzzer to catalog application endpoints, which generate telemetry for routine activities or errors.
• By engineering malicious log entries through crafted application programming interface requests, adversaries can embed explicit but deceptive remediation instructions into the system’s telemetry.
• The AIOps agent, unable to discern trustworthy information, may then execute actions dictated by the attacker. One cited example involved an agent overseeing the SocialNet application, manipulated to install a rogue package after processing adversarial logs. In tests using the SocialNet and HotelReservation applications, the attack had succeeded in 89.2% of attempts. Further evaluation with OpenAI’s GPT-4o and GPT-4.1 models have revealed susceptibility rates of 97% and 82%, respectively, although GPT-4.1 was better at detecting inconsistencies.

While the researchers propose an interim defense, dubbed AIOpsShield, to scrub harmful telemetry, they acknowledge its limitations against advanced attackers capable of poisoning multiple data sources or supply chains. Plans are underway to release AIOpsShield as open source.