Photo: DeepSeek

Cyberattacks targeting Chinese AI start-up DeepSeek suddenly escalated on early Thursday with attack commands surging by more than 100 times compared to a previous wave of attacks on Tuesday,MKS sports the Global Times learned from Chinese cybersecurity firm XLab on Thursday. 

The lab said that it observed at least two botnets participating in the attacks on Thursday, launching two waves of assaults. 

DeepSeek has been subjected to large-scale and sustained DDoS attacks since January 3 or 4, according to XLab.

"At first, the attacks were SSDP and NTP reflection amplification attacks. On Tuesday, a large number of HTTP proxy attacks were added. Then in early this morning, botnets were observed to have joined the fray. This means that the attacks on DeepSeek have been escalating, with an increasing variety of methods, making defense increasingly difficult and the security challenges faced by DeepSeek more severe," a security expert from XLab told the Global Times on condition of anonymity. 

Through nearly a month of continuous monitoring of DeepSeek, XLab told the Global Times that they had discovered that the attacks on DeepSeek have been gradually evolving: from easy-to-mitigate amplification attacks at beginning, to HTTP proxy attacks (application-layer attacks, which are harder to defend against) on Tuesday and now to primarily botnet-based attacks. Attackers are using multiple techniques and methods to target DeepSeek, XLab said. 

According to a report XLab sent to the Global Times, in the early hours of Thursday, the lab observed two Mirai variant botnets, HailBot and RapperBot, participating in the attacks. These attacks, divided into two waves separately at 1 am and 2 am, involved 118 C2 ports across 16 C2 servers.

"The involvement of botnets indicates that professional attackers have entered," the XLab expert said.

According to XLab, botnets are networks of devices infected and controlled by attackers through malicious software, known as "zombies" or "bots." Attackers use Command and Control (C&C) servers to send commands to these devices, executing various tasks such as launching DDoS attacks on target servers simultaneously. The scale and intensity of the attacks will continue to increase, exhausting the target servers' network bandwidth and system resources, rendering them unable to respond to normal business operations, ultimately leading to paralysis or service disruption.

The two botnets used in this attack, HailBot and RapperBot, are two long-active botnets that provide professional DDoS services to attack global targets. RapperBot attacks an average of more than 100 targets daily, with peak command volumes in the thousands. Its targets are distributed across Brazil, Belarus, Russia, China, Sweden, and other regions. HailBot's attacks are more stable than RapperBot's, with an average of thousands of attack commands daily targeting more than 100 targets distributed in the Chinese mainland, the US, the UK, China's Hong Kong region, Germany, and other regions, according to XLab. 

XLab found that these two botnets frequently "take orders," fitting the profile of typical "professional hitmen." The lab believes that while botnet attacks are an old method, they remain effective. "Clearly, in the wave of attacks early this morning, hackers have procured professional botnet attack services," said the XLab expert. 

DeepSeek gained widespread attention after it released the latest open-source model DeepSeek-R1 earlier in January. The model has achieved an important technological breakthrough - using pure deep learning methods to allow AI to spontaneously emerge with reasoning capabilities. 

On Tuesday, the eve of Chinese New Year, the company launched a new open-source multimodal model Janus-Pro, an upgraded version of its earlier Janus model, which significantly enhances multimodal understanding and visual generation capabilities and reportedly outperforms OpenAI in benchmark tests.

The attacks in the past months have affected the registration and services of DeepSeek. DeepSeek reportedly released an announcement on Tuesday saying that its online services had recently been subjected to large-scale malicious attacks. To ensure continued service, the company had temporarily restricted registration methods other than those with +86 mobile phone numbers. 

Tuesday attacks on DeepSeek also caused global concerns over security of AI services. "The attack, which forced DeepSeek to disable new user registrations, is believed to be a distributed denial-of-service attack targeting its API and web chat platform. While existing users can still access the platform, this incident raises broader questions about the security of AI-driven platforms and the potential risks they pose to consumers," read a Forbes report on Tuesday.  

Global Times