Hackers From China Likely Targeted Cambodia

A hacking group operating out of China with possible state sponsorship has been spying on governments and companies across Southeast Asia—Cambodia likely included—for the past decade, according to U.S.-based Internet security firm FireEye.

In a new report, the firm said the hackers had been at work since 2005, focusing on targets with key political, economic and military information about the region — including an operation carried out during an Asean meeting in Phnom Penh in 2012.

FireEye said the hacking group, which it calls APT30, stands out from others like it traced back to China for its longevity—it is believed to be still be operating— and its geographic scope.

“Their missions focus on acquiring sensitive data from a variety of targets, which possibly include classified government networks and other networks inaccessible from a standard Internet connection,” according to the report, which said the group has gone after what should be more secure air-gapped networks well before other advanced hacking groups.

“Such a sustained, planned development effort, coupled with the group’s regional targets and missions, lead us to believe that this activity is state sponsored, most likely by the Chinese government,” it said.

FireEye said it confirmed APT30 targets in seven countries: India, Malaysia, Saudi Arabia, South Korea, Thailand, the U.S. and Vietnam. It says it found “likely” targets in 10 others, mostly in Southeast Asia, including Cambodia.

The security firm did not say that the Cambodian government was a target itself.

According to the report, the group has set up Asean-themed Internet domains that mimic Asean’s real domains but contain data-stealing malicious software, “most likely trying to compromise Asean members or associates to steal information that would provide insight into the region’s politics and economics.”

The report said the fake domains were often set up to coincide with Asean meetings, including a get-together of the bloc’s labor ministers in Phnom Penh on May 11, 2012, the year that Cambodia served as Asean chair.

It said the domain was used again in late June that year, during a meeting in Ho Chi Minh City between Asean and China about their competing claims in the South China Sea.

A few weeks later, back in Phnom Penh for Asean’s annual meeting of foreign ministers, Cambodia scuppered efforts to conclude the event with a joint statement by refusing a request from the Philippines to mention a naval standoff it recently had with China in disputed waters. Cam­bodia, which enjoys especially close ties with China, its biggest investor, was widely seen as do­ing Beijing’s bidding.

APT30’s activities, FireEye said, “suggest the group is particularly interested in regional political, military and economic issues, disputed territories and media organizations and journalists who report on topics pertaining to China and the government’s legitimacy.”

Spokesmen for Cambodia’s ministries of interior and foreign affairs could not be reached Tuesday. A spokesman for the Chinese Embassy in Phnom Penh did not reply to a request for comment.

Niklas Femerstrand, a Phnom Penh-based hacker and Internet security researcher, said in an email Tuesday that while there was no evidence that APT30 had targeted Cambodia specifically, the government would be none the wiser if it had.

“The Cambodian government’s ability of detecting anything remotely threatening in terms of espionage is near zero,” Mr. Femerstrand wrote.

“Even if there would be capacity I think the dominant cultural attitude is that these things just happen, as when we saw the government shrug its shoulders at the revelations that the NSA [National Security Agency] was listening to the region from its embassy.”

In November 2013, documents released by American whistleblower Edward Snowden revealed that the U.S. National Security Agency had used Phnom Penh as a regional collection point for data gathered using malicious software placed on more than 50,000 computer networks around the world by the spy agency.

On Tuesday, news agency Reuters quoted Chinese Foreign Ministry spokesman Hong Lei reacting to FireEye’s report by denying state involvement in any hacking operations.

“I want to stress that the Chinese government resolutely bans and cracks down on any hacking acts. This position is clear and consistent,” he is quoted saying.

“Hacking attacks are a joint problem faced by the international community and need to be dealt with cooperatively rather than via mutual censure.”

peter@cambodiadaily.com

© 2015, Zsombor Peter. All rights reserved.