A Chinese cyberespionage group is targeting Cambodian entities ahead of the country’s July 2018 elections.
FireEye researchers spotted the TEMP.Periscope cybergang targeting various government entities charged with overseeing the electoral system as well as opposition figures.
The group has been active since at least 2013 and has primarily focused its attacks on maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, research universities, professional/consulting services, high-tech industry, healthcare, and media/publishing companies.
Researchers were aware of the attacker’s interest in maritime affairs but said the most recent attacks suggest the cybergang will target the political systems of strategically important countries.
“Cambodia has served as a reliable supporter of China’s South China Sea position in international forums such as ASEAN and is an important partner,” researchers said in the post. “While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections.”
An attack targeting the election commission was particularly significant researchers said, given the critical role it plays it facilitating voting. Researchers weren’t sure if the organization was compromised simply to gather information or as part of a more complex operation.
Regardless of the reasoning the attack was described as the most recent example of aggressive nation-state intelligence collection on election processes worldwide as they are expected to provide the Chinese government with widespread visibility into Cambodian elections and government operations.
In one attack the threat actors sent spear phishing emails to Monovithya Kem, Deputy Director-General, Public Affairs, Cambodia National Rescue Party (CNRP), and the daughter of imprisoned Cambodian opposition party leader Kem Sokha.
The malicious document purportedly came from LICADHO, a non-governmental organization [NGO] in Cambodia established in 1992 to promote human rights, but was actually laced with AIRBREAK malware.
Researchers noted the cybergang used the same infrastructure in attacks against other more traditional targets including the defense industrial base in the United States and a chemical company based in Europe.
The group which is in line with typical Chinese-based APT efforts and maintains an extensive intrusion architecture and a wide array of malicious tools, and targets a large victim set. The gang was also noted for overlapping the targeting tactics, techniques, and procedures used by TEMP.Jumper.