Jul 10, 2018 - World

Evidence surfaces of China spying on Cambodian elections

Supporters of GDP seen on a vehicle. Photo: Enric Catala Contreras/SOPA Images/LightRocket via Getty Images

Researchers at FireEye found evidence that a Chinese hacker group known as TEMP.Periscope spied on both sides of the Cambodian election, according to a new report.

What they're saying: Benjamin Read, FireEye senior manager for cyber espionage analysis said in a statement: "China is heavily surveilling all parts of the upcoming Cambodian elections. We have not seen any evidence of activity beyond intelligence collection, but Cambodia is a key ally, so any change in ruling party would be of interest to China."

The details: TEMP.Periscope was previously only known for espionage on maritime targets. The election targets show a new interest in geopolitics.

  • The attack leveraged Airbreak, Homefry, Murkytop, HTran, and Scanbox malware already attributed to the group, as well as two new families of malware: a backdoor FireEye dubbed Eviltech and a credential harvesting program it dubbed Dadbod.
  • Airbreak malware, which is used to install other malware programs, was affixed to lure documents related to Cambodian politics.

Targets of the attack include:

    • The National Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation, Cambodian Senate, Ministry of Economics and Finance.
    • A Member of Parliament representing the ruling Cambodia National Rescue Party.
    • Multiple human rights advocates in opposition to the ruling party.
    • Two Cambodian diplomats serving overseas.
    • Multiple Cambodian media outlets.
    • Monovithya Kem, deputy director-general of public affairs of the Cambodia National Rescue Party.
    • The daughter of imprisoned Cambodian opposition party leader Kem Sokha.

The attack provided new evidence that TEMP.Periscope is a Chinese group from FireEye, which monitored a control server from the attack.

  • While the attackers usually used location-hiding anonymity measures, the one connection that didn't was located in Hainan, China.
  • Computers that connected to the server had Chinese language settings.
Go deeper