Evidence surfaces of China spying on Cambodian elections
Add Axios as your preferred source to
see more of our stories on Google.
Supporters of GDP seen on a vehicle. Photo: Enric Catala Contreras/SOPA Images/LightRocket via Getty Images
Researchers at FireEye found evidence that a Chinese hacker group known as TEMP.Periscope spied on both sides of the Cambodian election, according to a new report.
What they're saying: Benjamin Read, FireEye senior manager for cyber espionage analysis said in a statement: "China is heavily surveilling all parts of the upcoming Cambodian elections. We have not seen any evidence of activity beyond intelligence collection, but Cambodia is a key ally, so any change in ruling party would be of interest to China."
The details: TEMP.Periscope was previously only known for espionage on maritime targets. The election targets show a new interest in geopolitics.
- The attack leveraged Airbreak, Homefry, Murkytop, HTran, and Scanbox malware already attributed to the group, as well as two new families of malware: a backdoor FireEye dubbed Eviltech and a credential harvesting program it dubbed Dadbod.
- Airbreak malware, which is used to install other malware programs, was affixed to lure documents related to Cambodian politics.
Targets of the attack include:
- The National Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation, Cambodian Senate, Ministry of Economics and Finance.
- A Member of Parliament representing the ruling Cambodia National Rescue Party.
- Multiple human rights advocates in opposition to the ruling party.
- Two Cambodian diplomats serving overseas.
- Multiple Cambodian media outlets.
- Monovithya Kem, deputy director-general of public affairs of the Cambodia National Rescue Party.
- The daughter of imprisoned Cambodian opposition party leader Kem Sokha.
The attack provided new evidence that TEMP.Periscope is a Chinese group from FireEye, which monitored a control server from the attack.
- While the attackers usually used location-hiding anonymity measures, the one connection that didn't was located in Hainan, China.
- Computers that connected to the server had Chinese language settings.
