China Accused of Hacking Cambodian Government Institutions

PHNOM PENH, CAMBODIA — Cyberattackers have been caught hacking key Cambodian government institutions in what is strongly believed to be a coordinated Chinese government attack ahead of elections set for this month, a U.S. cybersecurity firm has alleged.

Cambodia’s National Election Committee, Senate, Ministry of Foreign Affairs, Ministry of Interior, and Ministry of Economy and Finance have all been breached, along with computer systems of foreign diplomats, media institutions and opposition figures, an investigation by FireEye Inc. concluded.

“We expect this activity to provide the Chinese government with widespread visibility into Cambodian elections and government operations,” the firm said in a report issued Tuesday. “Additionally, this group is clearly able to run several large-scale intrusions concurrently across a wide range of victim types.”

Cambodians head to the polls on July 29 in elections that follow last year’s dissolution of the opposition Cambodia National Rescue Party (CNRP), the only viable contender to the ruling Cambodian People’s Party (CPP).

FireEye discovered that a suite of malicious software, or malware, that they had tracked since 2013 had been deployed against Cambodian political targets since at least April 2017, including numerous members of the CNRP.

The malware suite — TEMP.Periscope — was carelessly left on publicly accessible servers, allowing FireEye to observe its logs, which revealed “objectives, operational tactics, and a significant amount of technical attribution-validation.”

The information included evidence that attackers operated from locations in China using local-language computer systems, as well as behavior consistent with known Chinese cyberespionage practices, FireEye said.

It further strengthened FireEye’s long-held belief that the software, which it said has previously been used against maritime targets related to China’s sensitive claims over the South China Sea, is being deployed by Beijing.


Benjamin Read, senior manager of cyberespionage analysis at FireEye, said China could just be conducting traditional espionage to keep tabs on a strategically important partner but might also be orchestrating something “a little bit more concerning.”

“Obviously in the United States, in France, you saw these sorts of information operation campaigns that followed after hacking,” Read said.

Russia has been accused of trying to rig elections in both those countries by hacking the private data of candidates, leaking it, and then using it as the basis of large, targeted social media campaigns against them.

Read said FireEye had not attributed coordinated campaigns of that nature to China before.

“But the broad targeting of Cambodian institutions, both government and opposition leading up to the elections, raised that possibility,” he added.

FireEye’s report said the same software tools were used against commercial targets, including what it described as a defense industrial base in the United States and a chemical company in Europe.

The Chinese Embassy in Phnom Penh declined to comment and the Cyberspace Administration of China did not reply to VOA inquiries.

Cambodia has fallen under the orbit of Beijing in recent years, becoming a key supporter within the Association of Southeast Asian Nations of China’s claims to the South China Sea. China, in turn, has showered Prime Minister Hun Sen, who has ruled for 33 years, with investments, infrastructure loans and political support.

Calls to officials in the Cambodian government bodies identified in the report have gone unanswered, while Ou Phannarith, director of the Department of ICT Security, could not be reached.

FireEye has not been able to provide any detail on what information was stolen from those targeted in the attacks — whom they were able to identify from logs on the malware servers.

In-Q-Tel, a nonprofit CIA-funded venture capital fund, has a less than 1 percent stake in FireEye, according to a 2014 post on its website.

Spearphishing incident

The malicious servers in question were discovered after FireEye began investigating a suspicious email that was sent to Kem Monovithya, the daughter of jailed CNRP leader Kem Sokha.

Kem Monovithya, who was also the CNRP deputy public affairs head, received what appeared to be a perfectly normal email from the respected Cambodian human rights group Licadho.

“I’ve been receiving a lot of phishing emails for the last year or so, but a lot of them are very obvious, but this one wasn’t. It was very personal,” she said.

The deceptive email, sent in the name of a real Licadho staff member, implored her to contribute to an article for The Washington Post on human rights through an attached list of questions, which she realized was a suspicious document.

FireEye was called in and its investigation of malware attached to the email led unexpectedly to familiar territory: servers running TEMP.Periscope software.

Licadho director Naly Pilorge said her organization appeared to be a victim of its own integrity, although in this case it wasn’t the target.

“Because of the nature of the work we do, and in this case and it’s really quite unfortunate, but part of the reason that there was an attempt to impersonate us was because of our reputation,” she said.

Licadho has also been on the receiving end of such attacks.

In May, FireEye reported that software inserted into the website of The Phnom Penh Post, which attempted to trick Licadho staff members into giving up their passwords, was planted by a Vietnamese state-linked hacking group.

“Recently, these two incidents show that the attacks are much more sophisticated and complex and targeted,” Pilorge said, adding she was surprised to see Cambodian government institutions had been targeted.