Evidence surfaces of China spying on Cambodian elections

Researchers at FireEye found evidence that a Chinese hacker group known as TEMP.Periscope spied on both sides of the Cambodian election, according to a new report.

What they're saying: Benjamin Read, FireEye senior manager for cyber espionage analysis said in a statement: "China is heavily surveilling all parts of the upcoming Cambodian elections. We have not seen any evidence of activity beyond intelligence collection, but Cambodia is a key ally, so any change in ruling party would be of interest to China."

The details: TEMP.Periscope was previously only known for espionage on maritime targets. The election targets show a new interest in geopolitics.

• The attack leveraged Airbreak, Homefry, Murkytop, HTran, and Scanbox malware already attributed to the group, as well as two new families of malware: a backdoor FireEye dubbed Eviltech and a credential harvesting program it dubbed Dadbod.
• Airbreak malware, which is used to install other malware programs, was affixed to lure documents related to Cambodian politics.

Targets of the attack include:

• The National Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation, Cambodian Senate, Ministry of Economics and Finance.
• A Member of Parliament representing the ruling Cambodia National Rescue Party.
• Multiple human rights advocates in opposition to the ruling party.
• Two Cambodian diplomats serving overseas.
• Multiple Cambodian media outlets.
• Monovithya Kem, deputy director-general of public affairs of the Cambodia National Rescue Party.
• The daughter of imprisoned Cambodian opposition party leader Kem Sokha.

The attack provided new evidence that TEMP.Periscope is a Chinese group from FireEye, which monitored a control server from the attack.

• While the attackers usually used location-hiding anonymity measures, the one connection that didn't was located in Hainan, China.
• Computers that connected to the server had Chinese language settings.