Cyber Incident Victim: Cambodian Government Organization
Date:
Apr 2017
Location:
Cambodia
Summary
A Chinese espionage group known as TEMP.Periscope compromised multiple Cambodian government entities overseeing elections and targeted opposition figures, diplomats, human rights advocates, and media organizations through spear phishing campaigns deploying malware including AIRBREAK, EVILTECH, and DADBOD. The attackers utilized infrastructure linked to Hainan, China, and employed credential theft tools alongside remote access capabilities to monitor political activities and exfiltrate sensitive data. This operation revealed broader targeting of global defense, maritime, and technology sectors, indicating strategic intelligence collection aligned with Chinese geopolitical interests in Southeast Asia and beyond.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early April 2017, the Chinese state-sponsored espionage group TEMP.Periscope initiated a cyber campaign targeting Cambodian government organizations and political entities, continuing operations through at least July 2018. The group compromised multiple Cambodian government agencies critical to the country's electoral system, including the National Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation, Cambodian Senate, and Ministry of Economics and Finance. TEMP.Periscope employed spear-phishing attacks using decoy documents impersonating legitimate Cambodian human rights organizations, delivering malware such as AIRBREAK through domains including scsnewstoday[.]com and partyforumseasia[.]com. The campaign specifically targeted opposition figures, including Monovithya Kem (Deputy Director-General of the Cambodia National Rescue Party and daughter of imprisoned opposition leader Kem Sokha), Cambodian diplomats stationed overseas, human rights advocates critical of the ruling party, and multiple Cambodian media outlets. Attackers leveraged three open-indexed servers containing operational data from April 2017 onward, which exposed victim communications and malware infrastructure.
Technical analysis revealed TEMP.Periscope utilized both established malware families (AIRBREAK, MURKYTOP, HOMEFRY, HTran, SCANBOX) and newly identified tools (EVILTECH JavaScript backdoor, DADBOD credential stealer). The group operated SCANBOX through mlcdailynews[.]com, hosting articles on U.S.-East Asia geopolitics and Russia-NATO affairs as decoy content. Forensic evidence from server logs confirmed actor logins originating from IP address 112.66.188.28 in Hainan, China, with additional Chinese-language system configurations observed across virtual private servers. Compromised systems spanned global victims in defense, aviation, chemical, education, and technology sectors, though Cambodian political targets dominated recent operations. FireEye identified victim organizations through analysis of the open servers and provided notifications to affected entities. The breaches granted Chinese operators extensive access to Cambodian electoral systems, government communications, and opposition activities during a politically sensitive period preceding the July 2018 general elections, aligning with Cambodia's strategic importance to China regarding South China Sea policy. No remediation actions by Cambodian authorities were detailed in available evidence.