At least 24 Cambodian government organizations have been compromised by two high-profile Chinese state-sponsored advanced persistent threat groups as part of a cyberespionage operation, reports The Record, a news site by cybersecurity firm Recorded Future.
Numerous host subdomains purporting to be cloud backup services were leveraged by attackers to stealthily exfiltrate data from the networks of Cambodia's commerce, finance, national defense, human rights, telecommunications, natural resources, and election oversight agencies, according to a report from Palo Alto Networks Unit 42.
Researchers attributed the campaign to Chinese threat actors based on the infrastructure and activity patterns, with the hackers pausing data compromise efforts during China's Golden Week.
Such a campaign "aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong relations with Cambodia to project their power and expand their naval operations in the region," said researchers. Cambodia has yet to comment on the findings.
As part of its latest attacks discovered in June, Tropic Tropper exploited several known Microsoft Exchange Server and Adobe ColdFusion vulnerabilities to distribute an updated China Chopper web shell on a server hosting the Umbraco open-source content management system.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities.
Angola and the Democratic Republic of Congo, which is a new Intellexa client, may have leveraged new Predator infrastructure to enable spyware staging and exploitation, according to an analysis from Recorded Future's Insikt Group.