Chinese APT groups target dozens of Cambodian government orgs
Two prominent Chinese government hacking groups are targeting at least 24 Cambodian government organizations through cloud backup services, according to a new report.
First reported by the Washington Post on Wednesday, the report from Palo Alto Networks’ Unit 42 does not name the APT groups but said the company’s researchers “assess with high confidence that these Cambodian government entities were targeted and remain compromised by Chinese APT actors.”
“This assessment is due to the malicious nature and ownership of the infrastructure combined with persistent connections over a period of several months,” they explained. The Washington Post attributed the activity to China’s Ministry of State Security.
The researchers discovered the compromises by monitoring telemetry associated with the Chinese APT groups, finding inbound connections originating from at least 24 Cambodian government organizations.
A spokesperson for the Cambodian government did not respond to requests for comment.
Palo Alto researchers said they have been tracking servers used by the hacking groups and noted several host subdomains that masquerade as cloud storage services.
This, they said, allows the hackers to disguise the unusual amounts of traffic that come from data exfiltration.
The Cambodian government organizations were seen communicating with this infrastructure in September and October. The government agencies affected include National Defense, Election Oversight, Human Rights, National Treasury, Finance, Commerce, Politics, Natural Resources and Telecommunications.
These organizations hold troves of sensitive financial data, citizen information and classified government documents.
“We assess that these organizations are likely the targets of long-term cyberespionage activities that have leveraged this infrastructure for persistent access to government networks of interest,” the researchers said.
The researchers said there were several pieces of evidence to suggest the group is based in China, including their day-to-day work schedules. The hackers stopped working between September 29 and October 8 — which aligns with China’s Golden Week from September 29 to October 6. The activity returned to normal levels on October 9.
The researchers believe the campaign is part of a long-term espionage effort and “aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong relations with Cambodia to project their power and expand their naval operations in the region.”
Cambodia has long been one of China’s most ardent allies, often drawing the ire of other Southeast Asian nations for their defense of Chinese territorial aims in the South China Sea.
Cambodia is also a significant part of China’s Belt and Road Initiative (BRI) and will host the controversial Ream Naval Base — one of China’s first overseas military outposts in Southeast Asia.
Despite the close relationship, there have been signs of minor fraying between the two countries since Cambodian dictator Hun Sen ended his nearly 40-year rule and handed control of the country over to his son, Hun Manet, this summer.
A recent Chinese film spotlighting the scourge of human-trafficking-backed online scams drew outrage among Chinese citizens and has forced the Chinese government to take a harder stance against cybercrime groups. Many of these online scams, most of which target the elderly in China, are run out of compounds in Cambodia and Myanmar.
Cambodian officials tried to ban the film from being shown and have stymied efforts by police from China, Vietnam and Thailand to disrupt the scam compounds and rescue people held captive.
For years, Chinese APT groups have launched an array of espionage campaigns targeting allies and foes across Southeast Asia. Cybersecurity firm Mandiant previously reported in 2018 that Chinese hackers broke into the systems of several Cambodian government entities.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.