By the CyberWire staff
At a glance.
- Italy blocks access to DeepSeek over data privacy concerns.
- Law enforcement disrupts cybercrime marketplaces.
- UnitedHealth says 190 million Americans were affected by Change Healthcare breach.
- AT&T hackers searched for information on the Trump family and Kamala Harris.
- State-sponsored threat actors are using generative AI to enhance productivity.
- Cybercriminals remain skeptical of AI tools.
- EU sanctions three GRU officers for cyberattacks against Estonia.
- Lazarus Group uses Trojanized software packages to target developers.
Italy blocks access to DeepSeek over data privacy concerns.
The Italian data protection authority Garante has blocked access to the DeepSeek app in Italy after the Chinese AI company failed to quell the Garante's concerns over its use of personal data, Reuters reports. The Garante said the company provided answers that were "considered to [be] totally insufficient." Garante board member Agostino Ghiglia told Reuters, "Not only did DeepSeek's response not give us any reassurance, it worsened their position, and that's the reason we decided to order the block." Reuters notes that the French and Irish data regulators are also questioning DeepSeek over its privacy policy.
DeepSeek was founded in 2023 and released its mobile app earlier this month, rattling US tech stocks. It's since overtaken ChatGPT as the top free app in Apple's App Store. The company's open-source LLM "DeepSeek-R1" is comparable to OpenAI's "o1" LLM, but is up to 95% more affordable, according to VentureBeat. The company claims to have trained the model for just $5.6 million.
Ben Thompson at Stratechery has written an explainer of DeepSeek's significance and how its R1 LLM compares to OpenAI's o1. Thompson states, "R1 is notable...because o1 stood alone as the only reasoning model on the market, and the clearest sign that OpenAI was the market leader. R1 undoes the o1 mythology in a couple of important ways. First, there is the fact that it exists. OpenAI does not have some sort of special sauce that can’t be replicated. Second, R1 — like all of DeepSeek’s models — has open weights (the problem with saying 'open source' is that we don’t have the data that went into creating it). This means that instead of paying OpenAI to get reasoning, you can run R1 on the server of your choice, or even locally, at dramatically lower cost."
The US government has banned the sale of high-end GPUs to China in an attempt to curb the country's AI development. Bloomberg notes, "While it remains unclear how much advanced AI-training hardware DeepSeek has had access to, the company’s demonstrated enough to suggest the trade restrictions have not been entirely effective in stymieing China’s progress."
Law enforcement disrupts cybercrime marketplaces.
A German-led international law enforcement operation has seized the domains of the Cracked and Nulled cybercrime marketplaces, BleepingComputer reports. Cracked and Nulled were two of the largest cybercrime forums in the world, with a combined 10 million users. Law enforcement also seized domains belonging to SellIX and StarkRDP, two services frequently used by cybercriminals. Additionally, the Spanish National Police arrested two individuals in Valencia.
Separately, US and Dutch authorities have seized 39 domains associated with online fraud marketplaces operated by the Pakistan-based cybercrime gang Saim Raza (also known as "HeartSender"). The US Justice Department states, "The Saim Raza-run websites operated as marketplaces that advertised and facilitated the sale of tools such as phishing kits, scam pages, and email extractors often used to build and maintain fraud operations. Not only did Saim Raza make these tools widely available on the open internet, it also trained end users on how to use the tools against victims by linking to instructional YouTube videos on how to execute schemes using these malicious programs, making them accessible to criminal actors that lacked this technical criminal expertise. The group also advertised its tools as 'fully undetectable' by antispam software." The DOJ adds that Saim Raza's phishing kits have resulted in at least $3 million in losses from US victims.
Practical, expert-backed guide to securing AI in the enterprise
AI adoption in the enterprise can feel like an uphill battle, as conflicting priorities, unclear ROI, evolving regulations, and security risks add layers of complexity.
This guide is designed to help IT and security leaders take a proactive, security-first approach to AI adoption, with practical strategies to address some of the biggest challenges.
What’s inside:
- Insights from IT and security leaders at pioneering companies
- Actionable steps for secure AI adoption that prioritize privacy and compliance
- Tips and checklists to help with evaluating AI vendors
Get the guide today and make real progress toward achieving your AI adoption goals.
UnitedHealth says 190 million Americans were affected by Change Healthcare breach.
UnitedHealth disclosed Friday that approximately 190 million Americans had their data breached during a ransomware attack against the company's Change Healthcare platform last February, TechCrunch reports. The company had previously estimated the number to be around 100 million individuals. A spokesperson for UnitedHealth Group told TechCrunch, “The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date."
Change Healthcare is the principal electronic clearinghouse in the US healthcare industry. UnitedHealth previously disclosed that the breach involved personal information including Social Security numbers, driver’s license numbers, and passport numbers, as well as medical information like diagnoses, medications, test results, imaging, and care and treatment plans. The incident also affected banking and financial information. TechCrunch notes that the cyberattack caused the largest breach of medical data in US history.
AT&T hackers searched for information on the Trump family and Kamala Harris.
404 Media reports that the hackers responsible for last year's major AT&T breach searched the stolen data for information on top politicians and their family members. The hackers found phone records belonging to Melania, Ivanka, and Tiffany Trump, Kamala Harris, and Marco Rubio's wife. The hackers then used this information as part of their extortion campaign against AT&T. Sources told 404 Media that the hackers also planned to release a paid search tool that would have allowed users to look through the data.
The two individuals allegedly responsible for the AT&T breach have since been arrested. One is a Canadian named Connor Riley Moucka, and the other is an American residing in Turkey named John Binns.
Elevate your Cybersecurity Posture with ‘Visible Ops’: Insights from Experts
Order your copy of VisibleOps Cybersecurity now to unlock essential strategies for combating advanced threats. This comprehensive guide offers actionable frameworks, proven methodologies, and insights to help you build a resilient cybersecurity culture within your organization. Designed for leaders and teams alike, it equips you with the knowledge to drive operational excellence to both proactively guard and stay ahead of emerging cybersecurity risks. Strengthen your defenses and lead with confidence. VisibleOps Cybersecurity, available at Amazon.
State-sponsored threat actors are using generative AI to enhance productivity.
Google has published a report on state-sponsored APTs' misuse of its generative AI application Gemini. The researchers found that threat actors from China, Russia, and other foreign governments are primarily using the tool for research, code debugging, and content creation, rather than for creating novel capabilities. Google notes that Iranian threat actors were the heaviest users of Gemini, mostly using the tool to assist in information operations. North Korean groups used the tool to draft cover letters and job applications, likely in support of Pyongyang's efforts to plant fraudulent IT workers within Western companies. Google says the threat actors were unsuccessful in their attempts to get Gemini to assist in explicitly malicious tasks.
The researchers conclude that current generative AI tools allow threat actors to improve productivity but are unlikely to be used as groundbreaking cyberweapons: "Rather than enabling disruptive change, generative AI allows threat actors to move faster and at higher volume. For skilled actors, generative AI tools provide a helpful framework, similar to the use of Metasploit or Cobalt Strike in cyber threat activity. For less skilled actors, they also provide a learning and productivity tool, enabling them to more quickly develop tools and incorporate existing techniques."
Cybercriminals remain skeptical of AI tools.
Cybercriminals have been slower to incorporate AI tools into their workflows, according to researchers at Sophos. Criminal use of generative AI has mostly been limited to automating tasks such as spamming emails and sifting through datasets, while some toolkits have incorporated AI to assist in social engineering attacks. Over the past year, the researchers observed only a few "primitive and low-quality" attempts by cybercriminals to develop malware or exploits via AI tools, and these were met with skepticism on underground forums. The researchers note, "Threat actors who use AI to create code or forum posts risk a backlash from their peers, either in the form of public criticism or through scam complaints."
EU sanctions three GRU officers for cyberattacks against Estonia.
The European Union yesterday sanctioned three Russian nationals for allegedly launching cyberattacks against Estonia in 2020, BleepingComputer reports. The EU says the three individuals are officers of the GRU's 161st Specialist Training Center (also known as Unit 29155).
The EU stated, "The cyber-attacks granted attackers unauthorized access to classified information and sensitive data stored within several government ministries, —including Economic Affairs and Communications, Social Affairs, and Foreign Affairs—leading to the theft of thousands of confidential documents. These documents included business secrets, health records, and other critical information compromising the security of the affected institutions. Unit 29155 is also responsible for conducting cyber-attacks against other EU member states and partners, notably Ukraine."
Lazarus Group uses Trojanized software packages to target developers.
SecurityScorecard has published a report on an attack campaign by North Korea's Lazarus Group that used malicious clones of legitimate software packages and open-source tools to target developers in the cryptocurrency and technology sectors. The threat actors forked open-source projects with backdoored versions of popular tools, including repositories belonging to Codementor, CoinProperty, Web3 E-Store, a Python-based password manager, and cryptocurrency-related apps, the Register says.
The campaign compromised more than 1,500 systems, with a focus on Europe, India, and Brazil. The attackers exfiltrated development credentials, authentication tokens, browser-stored passwords, and system information.