Cyber Incident Victim: Cambodian Senate
Date:
Apr 2017
Location:
Cambodia
Summary
A Chinese state-sponsored espionage group known as TEMP.Periscope compromised multiple Cambodian government entities, including the Senate, election oversight bodies, opposition figures, human rights advocates, diplomats, and media organizations. The attackers employed spear phishing with malicious decoy documents impersonating a local NGO, deploying malware families such as AIRBREAK, EVILTECH, and SCANBOX to establish backdoor access and conduct credential theft. Infrastructure analysis revealed actor logins originating from Hainan, China, and Chinese-language configurations on command servers. This campaign provided extensive visibility into electoral systems and political operations, aligning with China's strategic interests given Cambodia's geopolitical significance. The group concurrently targeted global defense, chemical, and technology sectors using shared infrastructure and toolsets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early April 2017, the Chinese state-sponsored cyber espionage group TEMP.Periscope initiated a sustained campaign targeting Cambodian political entities, with compromises extending through at least July 2018. The group compromised multiple Cambodian government agencies critical to the country’s electoral process, including the Cambodian Senate, National Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation, and Ministry of Economics and Finance. TEMP.Periscope also targeted opposition figures, including a Member of Parliament from the Cambodia National Rescue Party (CNRP), Cambodian diplomats stationed overseas, human rights advocates critical of the ruling party, and local media organizations. The attackers employed spear-phishing emails delivering AIRBREAK malware, using decoy documents impersonating the Cambodian human rights NGO LICADHO. Infrastructure analysis revealed command-and-control domains such as scsnewstoday[.]com and partyforumseasia[.]com, the latter explicitly referencing the CNRP. Malware-laden servers indexed publicly contained logs showing victim communications from sectors including government, education, defense, and aviation across multiple regions.
FireEye’s forensic examination of three open-indexed servers controlled by TEMP.Periscope uncovered operational details from April 2017 onward, including actor logins from an IP address (112.66.188.28) in Hainan, China, used to administer infrastructure and interact with victim malware. The servers hosted both established malware families (AIRBREAK, MURKYTOP, HOMEFRY, HTran, SCANBOX) and new tools like EVILTECH, a JavaScript-based remote access trojan, and DADBOD, a credential theft utility. One active SCANBOX server (mlcdailynews[.]com) hosted decoy articles about Cambodian politics and U.S.-Asia geopolitics, likely delivered via compromised websites or malicious email links. Control panel logs confirmed Chinese-language system settings among operators. The campaign demonstrated TEMP.Periscope’s ability to concurrently target geopolitical interests—including Cambodia’s election infrastructure and maritime/defense sectors globally—while expanding into political interference. FireEye notified identifiable victims across affected sectors but no remediation details from Cambodian entities were disclosed. The compromises provided China with extensive access to Cambodian governmental operations during a period of strategic partnership, particularly regarding Cambodia’s support for China’s South China Sea claims.