Cyber Intelligence: CyberWarfare & DeepSeek

Synopsis

1. Russia and Ukraine get busy, launching nastier cyber attacks. Russia targets U.S. Oil and Gas Industry and Polish sewage, while Ukraine attacks Russian telecommunications and Gazprom. A Ukrainian (ally?) whacks Russian Defence targets. PRC Hackers get inside a South Korean VPN Provider. What’s the fuss over ‘DeepSeek’? What is it? Is it any good? Did DeepSeek get hacked?

2. It is our assessment that the three major cyber conflicts, (Russia vs Ukraine, Iran vs Israel, and the People’s Republic of China) are the most likely sources for the creation of next generation malware and/or a primary source of cyber attacks. This includes government funded hackers (military, intelligence and civilian employees), affiliated hackers (criminals and mercenaries), and volunteer ‘supporters’.

Russia vs Ukraine

3. Russian Activity: Russia Cyber Attacks Estonia. Estonia is reporting that the number of cyber attacks against the country increased 2.5 times in 2024 above the number of attacks in 2023. In 2023 and earlier, “Estonian government and corporate web servers hosting e-services were the primary targets of DDoS attacks.” In 2024, “name servers, which help users access websites, became a key target.”2 Data breaches doubled in 2024. The European Union (EU) is playing catchup, identifying and sanctioning members of Russia’s GRU involved in the attacks.

4. EU Responds to Attacks on Estonia. On 28th January, “the European Union announced sanctions for three members (Nikolay Korchagin, Vitaly Shevchenko, and Yuriy Denisov) of Unit 29155 of Russia’s military intelligence service (GRU) for their involvement in cyberattacks against Estonia in 2020. … The state-sponsored hackers stole sensitive documents, including business secrets, health records, and other critical information compromising the security of the targeted institutions. … Russia’s GRU Unit 29155 is also responsible for attempted coups, influence operations, and assassination attempts across Europe. Since 2020, the unit has expanded into offensive cyber operations aimed at espionage, reputational harm, and data destruction. … Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.3”

5. Another Russian Hacking Team Targets EU Embassies: Russian government hackers tracked as UAC-0063 have expanded their target sets. Active since 2021, they are known for attacking Ukraine and governments in Central Asia. Cyber security company ‘BitDefender’ has identified the group as “targeting entities such as embassies in multiple European countries, including Germany, the U.K., the Netherlands, Romania, and Georgia,”4 The group uses stolen diplomatic documents, infected with a downloader, to extract information.

6. New Russian Hacker Group Targets U.S. Oil & Gas. On 31st January, computer security company ‘Cyble’ announced they had identified a new pro-Russian hacking group named ‘Sector 16’. Sector 16 “hacked into control panels in energy facilities and tampered with system control settings … working with another pro-Russian group – Z-Pentest – which has been hacking into critical water and energy infrastructure since last year.” The groups are continuing “a trend of Russian hacktivists posting videos of their members tampering with critical infrastructure control panels. … Cyble speculated that the videos may be ‘more to establish credibility or threaten than to inflict actual damage, although in one case Z-Pentest claimed to disrupt a U.S. oil well system.’ ”

7. NoName Hacks Polish Sewage. On 3rd February, Russian hacker groups NoName057(16) and Z-Pentest hacked Polish sewage treatment plants. Z-Pentest claimed they “ ‘changing all the parameters’ of its sewage treatment plants. This allegedly disrupted its operations despite the alarms going off.”5 NoName 057(16) also claimed they launched cyber attacks (probably DDoS attacks) against seventeen websites belonging to various Polish companies.

8. Ukrainian Activity: Russian Telecommunications Targeted. On 24th January it was reported that Ukrainian Intelligence hacked a major Russian telecommunications provider, MegaFon. According to Ukrainian intelligence sources, “other operators, including Yota and NetByNet, also experienced disruptions. The attack temporarily cut off Russians from internet resources and services such as Steam, Twitch, and Discord — platforms widely used by the Russian military and intelligence services in their operations against Ukraine.”6 Affected users were left without mobile phone service or internet access throughout Friday, January 24. Ukrainian Intelligence described it as a successful ‘carpet attack’ (Distributed Denial of Service attack).

9. Hackers Use Russian Tactics on Russian Defense Industry. On 27 January, a previously unknown threat actor was reported cyber attacking Russian entities using “tradecraft associated with the Kremlin-aligned Gamaredon hacking group.” According to cyber security company ‘Knownsec 404 Advanced Threat Intelligence team’, “The TTP (Tactics, Techniques, and Procedures) of this organization imitates that of the Gamaredon organization which conducts attacks against Ukraine.”7 The attacks appear to target military facilities. The attack uses an email document lure that, when activated, allows the attacker remote access. Knownsec attributes the attack to a threat cluster dubbed ‘GamaCopy’ which shares signatures with another hacking group named ‘Core Werewolf’. Analysts Comment: This threat cluster consistently targets Russian defence organizations and individuals including defence industry targets. It targets information extraction which makes it a government-sponsored group, not a criminal organization.

10. Ukraine Disrupts Russia’s Gazprom’s Services. On 29th January, Cyber specialists from Ukraine’s Military Intelligence Agency (HUR) launched a distributed denial-of-service (DDoS) attack, severely disrupting Gazprom’s digital services. On that date in 1918, Ukrainian cadets and volunteers fought against about 5,000 Bolshevik troops intent on seizing Kyiv. This DDoS “attack targeted critical online systems, and as a result, customers have been unable to access accounts, process fuel payments, or use other digital services since January 28.”8

People’s Republic of China

11. PRC Hackers Target South Korean VPN Provider. On 22nd January, ‘ESET’, a cyber security company, warned that a People’s Republic of China (PRC) hacking group nicknamed ‘PlushDemon’ hacked the installer of Ipany, a South Korean VPN provider. ESET reported, “we discovered that the installer was deploying both the legitimate software and the backdoor that we’ve named SlowStepper.” Although PlushDemon has been around since 2019 and has a track record of cyberespionage in China, Taiwan, South Korea, and the US, “ESET warns that the compromised website contained no code to circulate the malicious installer to specific users based upon their geographic region or IP address. “Therefore, we believe that anyone using the IPany VPN might have been a valid target”.9 ESET published its findings in the company blog.

12. DeepSeek. Following the U.S. Government announcement of ‘Action to Enhance AI Leadership’10, ‘DeepSeek’, an artificial intelligence (AI) start-up based in the People’s Republic of China, released its latest model called ‘DeepSeek R1’. DeepSeek claimed the model “rivalled technology developed by ChatGPT-maker OpenAI in its capabilities while costing far less to create.” The announcement wiped “billions of dollars off the market value of chip giant Nvidia – and called into question whether American firms would dominate the booming artificial intelligence (AI) market, as many assumed they would.” Microsoft and OpenAI quickly announced they would investigate for a potential data breach of their work.11

A. What is DeepSeek (the chatbot)? In general, one way ‘ChatBots’ can be thought of is ‘research assistants’. When asked a question, they go to the Internet and research the answer. Some chatbots have ‘made up’ answers, while others have generated answers that are incomplete and/or lack context. DeepSeek is another chatbot-type research assistant that answers questions.

B. Can DeepSeek (the chatbot) do what is claimed? Yes … and No. Yes, DeepSeek can be asked questions, exactly like other chatbots. DeepSeek also appears to have the ability to ask for context to questions, which improves the quality of its results. No, DeepSeek is also uniquely a tool created inside the PRC meaning don’t ask it questions about ‘China’ or Tiananmen Square’. Analyst Comment: I expect other shortcomings will be revealed.

C. Did ‘DeepSeek’ (the company) get cyber-attacked?12 Yes … and No. Analysts Comment: It is assessed as highly likely that some pro-American/anti-PRC hackers hit the company with DDoS attacks. The PRC and DeepSeek are certain the company was attacked.13 That said it is also highly unlikely that the company foresaw the onslaught of new account registration which followed the announcement. This would produce a similar effect to a DDoS attack by overwhelming the company’s servers. The other problem was that DeepSeek did not secure its database infrastructure. “That means conversations with the online DeepSeek chatbot, and more data besides, were accessible from the public internet with no password required.”14 Competitors who want to know how DeepSeek achieved its results could access the exposed database and download a ‘wide range of information’. Did DeepSeek get hacked? Mostly NO.

13. Analysts Final Comment: It should not come as a surprise to anyone that a country that works as hard at stealing intellectual property as the PRC should be able to rapidly produce a competing product.