In the run-up to Cambodia’s general election on July 29, a hacking group tied to China has been breaking into multiple organizations that share a connection to either the country’s main opposition party, voting process or human rights movement, according to new research and additional analysis provided by U.S. cybersecurity firm FireEye.
The findings — made possible through a glaring operational security mistake where hackers left their attack servers exposed on the open internet — help illustrate how governments are leaning on cyber-espionage capabilities to learn about foreign elections.
FireEye collected this intelligence by directly accessing the attack servers, which weren’t protected with a password. The firm was able to identify breaches through established lines of communication that existed between the servers and victims.
The hacking group in question, known as “TEMP.Periscope,” has been tied multiple times to Chinese-linked cyber-operations that used a suite of unique tools to breach multiple U.S. defense contractors, universities and maritime technology development firms.
According to FireEye, the impacted Cambodian organizations include: the National Election Commission, members of parliament representing the National Rescue Party (CNRP), a Cambodian political party; high-profile Cambodians who’ve publicly advocated for human rights; and at least two unnamed Cambodian media entities.
It’s not just the opposition that’s been hacked by TEMP.Periscope.
Several leading government agencies that are largely controlled by the ruling political party, the Cambodian People’s Party (CPP), have also been breached. Those attacked organizations — which are responsible for both domestic and foreign policy — include the Ministry of the Interior, Ministry of Foreign Affairs, Cambodian Senate, and Ministry of Economics and Finance, according to FireEye.
“TEMP.Periscope is one of the most active Chinese groups of 2018,” said FireEye Senior Analyst Ben Read. “We have high confidence that TEMP.Periscope is acting on behalf of the Chinese government.”
The primary method of infiltration appears to be well-crafted phishing emails, which mention local news events. Additionally, some intrusions leveraged watering hole-style booby-trapped websites, FireEye stated in a blog post published late Tuesday.
“The phishing emails demonstrated knowledge of the subject, but nothing that would have been impossible to gather from open sources as far as we saw,” Read said. “They also appeared to be using SCANBOX [software] to profile and potentially infect victims.”
So far, the activity has remained isolated to digital espionage, although the potential for actual sabotage is possible due to the active nature of the breaches.
In one case, researchers were able to trace a related data breach to an IP address in Hainan, China. The farming island on China’s southern coast is home to several naval and intelligence installations operated by the People’s Liberation Army (PLA).
Prior reporting by the Information Warfare Monitor, a now-defunct Canadian cybersecurity research group, suggests that Hainan may also be home to the secretive Lingshui signals intelligence facility and the Third Technical Department of the PLA. Those two units are have been connected to China’s global hacking exploits.
“The lesson I would take is that there are a broad array of groups interested in elections,” Read said.
The hacks underscore Beijing’s complex relationship with Cambodia’s ruling authoritarian regime led by Prime Minister Hun Sen.
Over the last several years, Sen has tightened his grip on the country by using the government to prosecute opposition leaders, control local media, and sell off land assets to foreign investors. His regime is also known for its use of social media trolls to control the narrative around significant political events.
Sen is widely seen as an ally to Beijing’s existing geopolitical interests in the region, including China’s ongoing territorial conquest in the South China Sea.
Foreign policy experts expect the CPP to win the national election in a landslide; in part due to corruption and voting manipulation. The assumed voting result begs the question of why China is so intent on monitoring the election.
“While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections,” FireEye stated. “The targeting of the election commission is particularly significant … There is not yet enough information to determine why the organization was compromised – simply gathering intelligence or as part of a more complex operation.”
A spokesperson for the Chinese Embassy in D.C. did not respond to a request for comment.
In an emailed statement, a member of Cambodia’s main opposition party, the CNRP, said she was disturbed by the revelation.
“I am not surprised but disturbed by it. I hope with this, the international community now look at Cambodia’s current crisis in regional context. It’s important that Cambodia not fall under the influence of any one particular country where our interests can be compromised,” said Monovithya Kem, deputy director of public affairs for the Cambodia National Rescue Party (CNRP).