17 July 2018

Chinese Cyber-Spy Hackers Target Cambodia as Elections Loom


Chinese cyber spies have targeted Cambodian government institutions, opposition party members, diplomats and media, possibly to gather information ahead of elections later this month, according to cybersecurity firm FireEye Inc.  The hacks are suspected to come from a Chinese cyber espionage group known as TEMP.Periscope, according to a report by FireEye, which had previously linked the same group to attacks on targets including U.S. engineering and defense companies with interests in the South China Sea, a key transport waterway that China claims mostly for itself. The attacks come as Asia’s longest-serving Prime Minister Hun Sen seeks re-election on July 29 in a campaign bereft of an effective opposition since the dissolution of the Cambodia National Rescue Party and the arrest of its leader Kem Sokha last year over accusations that he plotted with the U.S. to overthrow the government.


The intrusions are the latest example of China’s willingness to use cyber tools to obtain information at sensitive times when its interests are at stake: Chinese cyber spies targeted Taiwan opposition parties during the 2015 presidential and legislative elections and earlier this year sought information from Japanese defense companies about Tokyo’s policy toward resolving the North Korean nuclear impasse.

“We expect this activity to provide the Chinese government with widespread visibility into Cambodian elections and government operations,” said Ben Read, senior manager of FireEye iSIGHT Intelligence’s cyber espionage team in Reston, Virginia. “The compromises fit the overall MO of Chinese espionage in that they gather up all the information that they can.”

One target, Monavithya Kem, daughter of Kem Sokha, became aware she was under attack from a so-called phishing email when she noticed its address wasn’t from the human rights organization that was supposed to have sent it. Kem was in Washington at the time. The email was sent to FireEye, which traced it to one of three servers it believes is controlled by the Chinese hackers.

“Initially I thought it was from the ruling party, but it is very disturbing to know it is coming from a foreign entity,” said Kem, an official in CNRP who faces arrest should she return to her country. “I hope the Cambodian government will find this disturbing too and that they are reminded it’s important not to fall under the influence of one particular country, where our interests are compromised.”

Under Hun Sen’s three-decade rule, China has become Cambodia’s single biggest donor and foreign investor, eclipsing the U.S. as its top trading partner in 2014. Cambodia has become a key supporter of China’s interests in regional forums such as the Association Southeast Asian Nations. Diplomats have long claimed China uses its sway over nations like Cambodia to limit criticism.

As well as opposition members, the Chinese spies targeted Cambodia’s National Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation, Ministry of Economics and Finance and the Senate, human rights groups and media organizations, according to FireEye, which said it has made these entities aware of the hacks.

Neither Cambodia’s government spokesman Phay Siphan or the Ministry of Foreign Affairs responded to emails seeking comment.

TEMP.Periscope’s three servers had been “open indexed,” which meant that they were accessible to anyone on the public Internet, yielding a cache of information on the group’s objectives, operational tactics and technical information, according to Read.

“This type of trade-craft mistake offers valuable insight into a group’s operations since, unlike data contained in spear phishes, malicious actors do not anticipate this data being analyzed by researchers,” Read said. One of the IP addresses came from Hainan island, he said.

China’s foreign ministry didn’t respond to faxed questions.

Fireye’s analysis of the servers had shown the group was engaged mostly in gathering and downloading information, and there was no evidence of tampering.

Mandiant, a unit of FireEye, alleged in 2013 that China’s military might have been behind a group that had hacked at least 141 companies worldwide since 2006. The U.S. issued indictments against five military officials who were purported to be members of that group.

No comments: