Seriously Risky Business

DeepSeek Is a Win for Chinese Hackers

Tom Uren

10 min read
DeepSeek Is a Win for Chinese Hackers

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Thinkst.

You can hear a podcast discussion of this newsletter by searching for "Risky Bulletin" in your podcatcher or subscribing via this RSS feed.

A beautiful reflection, Stability AI

Reactions to the rise of Chinese AI company DeepSeek have so far focused on its economic and geopolitical implications, but the company's models will also provide Chinese cyber espionage actors with their own indigenous capabilities. 

The company made headlines in January when it released its 'R1' Large Language Model (LLM), which boasts performance comparable to the latest LLMs from US companies such as OpenAI and Anthropic. DeepSeek was able to train and run its model at a considerably lower cost than its rivals, so it charges about 95% less for API access than OpenAI or Anthropic do for comparable models.  

However, last week the Italian government banned DeepSeek from operating in the country and this week the Australian government banned DeepSeek from government devices. 

These bans are motivated in part by the Chinese government's control of its companies as stated in its National Intelligence Law, Article 7:

All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of.
The State is to protect individuals and organizations that support, assist, and cooperate with national intelligence efforts.

Some security researchers highlight DeepSeek's Privacy Policy as particularly concerning, noting that it is quite explicit about collecting information such as "device model, operating system, keystroke patterns or rhythms, IP address, and system language". That strikes us as honest, and more or less in line with the Terms of Service of US-based AI companies (see this in-depth analysis for more). When your concern is Chinese government espionage, the privacy policy is also irrelevant, in that it is trumped by China's intelligence law. 

DeepSeek model outputs are censored, so there is evidence the company complies with Chinese law. Unsurprisingly, Article 4(1) of China's generative AI law requires that services "uphold core socialist values", which entails censoring sensitive topics that could 'endanger national security' by 'harming the nation's image, inciting separatism or undermining national unity and social stability'.

So, DeepSeek is toeing the line with regard to censoring sensitive topics, but there is no evidence the company is acting as a direct tool of the state. It has provided open versions of its R1 model that can be deployed locally to mitigate data privacy and espionage concerns. In addition, DeepSeek has also released detailed technical papers describing its training process. These measures would be highly unlikely if the Chinese Communist Party had direct control of the company. 

Still, China gonna China, so from the perspective of other governments, it is a no-brainer to prevent large-scale data transfer to the PRC by requiring the use of DeepSeek's models on locally-controlled servers rather than by API access.

However, rather than presenting an insurmountable geopolitical or economic risk, the real danger here is more mundane—that DeepSeek models will be used by malicious threat actors to accelerate their campaigns. 

So far at least, it appears the safety and security features of DeepSeek models aren't up to the standard of other companies developing LLMs. Cisco, for example, found that all of its techniques to 'jailbreak' DeepSeek R1 to elicit malicious behaviour were successful. 

We know from both OpenAI and Google threat reports that malicious actors use LLMs in their work. Google's latest report, released last week, noted "over 20 China-backed groups" use Gemini for activities such as reconnaissance, vulnerability research, scripting and development and translation.

We don't expect having a capable domestic LLM to help with these tasks will be a gamechanger for Chinese cyber espionage actors. However, it will make malicious activities easier to undertake and result in a loss of visibility for Google's threat intelligence teams.  

Comedy Bugs, Quantified

The UK's National Cyber Security Centre has published a methodology that quantifies whether a vulnerability is so stupid as to be 'unforgivable'. 

We love the idea of shaming vendors into improving security, but unfortunately, the paper pulls its punches and merely sets out a methodology without naming names.

The paper cites a 2007 description by Steve Christie of MITRE which says unforgivable vulnerabilities "are beacons of a systematic disregard for secure development practices. They simply should not appear in software that has been designed, developed, and tested with security in mind". 

In Risky Biz HQ parlance, these are "comedy bugs" and they appear all too frequently, particularly in what we like to call "enterprise crapware".

The NCSC defines vulnerabilities as forgivable when they are subtle, not well understood, and mitigation is very complicated or comes with high costs. They are unforgivable when they are well understood and should be easy to fix or mitigate. 

The paper analysed the 'Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses 2023' from MITRE and assessed how easily each weakness could be mitigated. Points were assigned for cost, knowledge and technical feasibility, resulting in a three (easy) to nine (hard) point score. The end result is the following table that ranks each mitigation with its  'implementation score'. The score measures how difficult it would be to implement a mitigation during a product's development.   

Top-level mitigation

Implementation Score

Difficulty

Input Validation

3

Easy

Output Encoding

3

Easy

Reduce the Attack Surface

5

Medium

Enforcement by Conversion

5

Medium

Sandbox or Jail

5

Medium

Secure Programming

6

Medium

Compilation or Build Hardening

6

Medium

Separation of Privilege

6

Medium

Libraries or Frameworks

6

Medium

Secure Architecture and Design

7

Hard

Language Selection

8

Hard

The paper provides just one anonymised worked example of a recent vulnerability in which an unauthenticated SQL injection vulnerability resulted from three root causes. In this case, exploiting the vulnerability required setting a certain variable to NULL, which could have been mitigated with input validation. The NCSC rates this as an easy fix. Two other root causes were rated as medium difficulty to mitigate. Per the report:

While the exploitable vulnerability was difficult to find, one of the root causes was deemed easy to implement [mitigations for], and two were rated medium.
This vulnerability should not have existed and is unforgivable.

For us, the fact that the worst offenders (we're looking at you, Fortinet, Ivanti and Palo Alto Networks) aren't named is disappointing. 

Although it is not explicitly stated, surely the underlying intent is to shame vendors into adopting better security practices. Naming and shaming, however, doesn't really work without the 'naming' so we really hope there is a follow up report that takes a crack at assessing some of the comedy gold that lies in commonly exploited vulnerabilities such as CISA Known Exploited Vulnerabilities list (KEV list).

The EU Strikes Back… Against Five-Year-Old Hacks

Last week the European Union (EU) announced sanctions against three officers of the GRU's notorious Unit 29155, which has been linked to nefarious activities around the globe. 

There is an internal EU bureaucratic logic to these sanctions, but unfortunately they won't make a lick of difference to the bigger problem of aggressive Russian behaviour.

Per my colleague Catalin Cimpanu's write up of the EU's action: 

GRU Unit 29155 has operated in secret since 2008, and its main objective for most of its existence has been assassinations and sabotage on foreign soil.
The unit has been linked to explosions at Czech ammo depots in 2014, an attempted coup in Montenegro in 2016, the 2018 poisoning of former GRU officer Sergei Skripal in the UK, and a 2020 bounty program that paid the Taliban tens of thousands of USD for each US and NATO soldier killed in Afghanistan.
Recent reports have also tentatively linked the unit to the notorious Havana Syndrome that impacted the US diplomats at embassies across the world.

The incidents Catalin covers deserve a serious response. However, the EU's sanctions cite intelligence collection operations dating back to 2020 that targeted Estonian government ministries. The operations, as described in public reporting, strike us as 'normal' cyber espionage that does not warrant sanctions.

Normally, we'd criticise the EU's sanctions process for being slow and muddying the line between acceptable and unacceptable behaviour. In our view, the 2020 Russian operations against Estonia were 'acceptable' because they targeted government assets and minimised collateral damage. That's how our intelligence agencies operate, so it is hypocritical to whine about that. Stronger responses such as sanctions and formal attributions should be saved for operations that cause avoidable harm or target organisations outside the government or defence. 

Stefan Soesanto, a senior researcher at the Center for Security Studies at ETH Zurich, told Seriously Risky Business this sanctions package "has more to do with Estonian domestic politics than anything else". He pointed out that former Estonian Prime Minister Kaja Kallas is now the EU's High Representative for Foreign Policy and Security. 

Soesanto thinks that in 2020 the Estonian government wasn't really interested "in butting heads with Moscow" over the incident and it was only in September last year that the Estonian government formally attributed the 2020 attacks to Russia's GRU. This attribution "was highly likely coordinated with the US Department of Justice indictment", Soesanto said, as five GRU Unit 29155 members were indicted on the same day. 

After that attribution, the EU process was "pretty fast for the EU", taking less than four months excluding the Christmas break.

The actions of Unit 29155 certainly deserve a strong response, and formal attribution from a member state and rapid EU action are positives. The EU is flexing its sanction muscles against malicious cyber activities. Yay!

But taking a big picture view, the underlying problem here is Russia, its invasion of Ukraine and its sabotage and assassination operations across Europe. Cyber-related sanctions won't make lick of difference. 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

  1. Cybercrime forums seized: An international law enforcement operation has seized the domains of two of the most popular cyber crime forums, Cracked and Nulled. Authorities seized 12 domains and made two arrests. The United States Department of Justice says the operation involved actions in the US, Romania, Australia, France, Germany, Spain, Italy, and Greece. Risky Business News has more coverage
  2. Pulling the plug on scam centres: The Thai government has announced that it will cut off electricity, internet and fuel supplies to five areas in Myanmar where scam groups are known to operate. The Bangkok Post says the "Ministry of Foreign Affairs has been tasked with informing the Myanmar government and notifying hospitals and communities that could be affected to make preparations". Thai police also announced the creation of an international coordination center that will begin operations in February. 
  3. Secure Amazon Redshift defaults: AWS has announced that it is making the defaults for the Amazon Redshift data warehouse more secure. Lax settings can make it easier for attackers to breach systems, so this is good news. But shouldn't defaults be, well, secure by default? 

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Thinkst CTO Marco Slaviero about a concept called Defending off the Land, a way to detect attacks and even deceive and frustrate attackers.

Paragon Hacking Outed by WhatsApp

Last week WhatsApp announced it had disrupted a hacking campaign by Israeli spyware company Paragon, which was acquired by an American private equity firm late last year. 

We've covered Paragon before. In June 2023 we wrote that in contrast to fellow spyware provider NSO Group, Paragon's strategy had been to stay in the US government's good books. In an article covering these efforts, The Financial Times wrote

American approval, even if indirect, has been at the heart of Paragon's strategy. The company sought a list of allied nations that the US wouldn't object to seeing deploy [Paragon's product] Graphite. People with knowledge of the matter suggested 35 countries are on that list, though the exact nations involved could not be determined. Most were in the EU and some in Asia, the people said.

"Everything they did was with the strategy that at the end of the day, the US should see them as the good guys," said one person familiar with the decisions.

Being pinged by WhatsApp doesn't necessarily mean Paragon was engaged in the abusive use of spyware—legitimate targets use WhatsApp, after all. We'll also have to see what the Trump administration's approach to the topic will be. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how the internet has got Salt Typhoon wrong. 

Or watch it on YouTube!

From Risky Biz News:

Crypto-stealer makes it on the iOS App Store: Kaspersky researchers have discovered a new crypto-stealer that has found its way into both the iOS and Android app stores.

Named SparkCat, the trojan takes photos from the phone's gallery and scans them with an OCR module to extract text that may appear in any of the images.

The malware looks for text that resembles mnemonic phrases in different languages, which may indicate the photo might be a screenshot of a cryptocurrency wallet recovery phrase.

Any photos matching mnemonic phrases are uploaded to the attacker's servers.

[more on Risky Business News]

Tbilisi public transport goes free after anti-government hack: Anti-government hackers have defaced payment systems installed in public transport buses in Georgia's capital, Tbilisi, to play pro-European songs and slogans.

The incident took place on Friday morning as residents headed to work.

The ticket scanners and point-of-sale devices played audio including the national anthems of Georgia and the EU, pro-EU speeches from local politicians, a segment from late Prime Minister Zurab Zhvania's statement at the Council of Europe in 1999: "I am Georgian, therefore I am European." and Beethoven's "Ode to Joy," considered the EU's unofficial anthem.

The Tbilisi City Hall shut down the system and is allowing residents to travel for free until the hacked systems are restored.

[more on Risky Business News]

Twitter account hacks: Multiple high-profile accounts have been hacked over the past week to promote various memecoins. Known victims so far: Snopes, TIME Magazine, the NASDAQ, the Tor Project, threat intel firm FalconFeeds, former Brazilian president Jair Bolsonaro, Twitch streamer Asmongold, sports journalist Jemele Hill, Breaking Bad actor Dean Norris, and various crypto-bro and smaller accounts.

Read more