Cyber Incident Victim: Ministry of Economy and Finance
Date:
Apr 2017
Location:
Cambodia
Summary
A Chinese state-sponsored espionage group known as TEMP.Periscope compromised Cambodia's Ministry of Economics and Finance along with other government entities overseeing elections and foreign affairs through spear phishing campaigns delivering custom malware. The attackers deployed tools including AIRBREAK, EVILTECH, and DADBOD to establish backdoor access, steal credentials, and conduct surveillance on political opposition figures, human rights advocates, and diplomatic personnel. Infrastructure analysis revealed operator connections to Hainan, China, with additional targeting spanning global defense, maritime, and technology sectors. The incident demonstrated the group's capability to concurrently execute large-scale intrusions across strategic geopolitical targets while expanding beyond traditional maritime interests into political interference operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Chinese espionage group TEMP.Periscope compromised Cambodia's Ministry of Economics and Finance as part of a broader campaign targeting Cambodian political entities ahead of the country's July 2018 general elections. FireEye analysis revealed the group actively infiltrated multiple Cambodian government agencies starting from at least April 2017, including the National Election Commission, Ministry of Foreign Affairs, Senate, and Interior Ministry. Attackers deployed spear phishing emails containing AIRBREAK malware, using decoy documents impersonating Cambodian human rights NGO LICADHO to target opposition figures like Monovithya Kem of the Cambodia National Rescue Party (CNRP). The group maintained operational infrastructure through three open-indexed servers hosting multiple malware families, including newly identified tools EVILTECH (a JavaScript backdoor) and DADBOD (credential stealer), alongside known payloads like SCANBOX, HOMEFRY, and MURKYTOP. Command and control domains such as scsnewstoday[.]com and partyforumseasia[.]com facilitated data exfiltration, with server logs showing administrative access from IP address 112.66.188.28 in Hainan, China. The attackers harvested credentials and established persistent access across victim networks, compromising not only government systems but also opposition politicians, human rights advocates, diplomats, and media organizations.
The compromise granted TEMP.Periscope extensive visibility into Cambodian government operations and electoral processes, with specific interest in entities supporting China's geopolitical interests in Southeast Asia. FireEye identified victim organizations across defense, aviation, chemical, and technology sectors globally through malware callbacks to the indexed servers, notifying all traceable victims. Analysis confirmed Chinese language configurations in attacker infrastructure and alignment with known Chinese APT tactics, techniques, and procedures. While the exact data exfiltrated from the Ministry of Economics and Finance wasn't specified, the group's broader pattern involved stealing credentials and establishing long-term intelligence collection capabilities. The campaign demonstrated TEMP.Periscope's ability to concurrently manage intrusions against diverse targets, expanding from its traditional maritime-sector focus to direct political interference. Cambodia's strategic importance to China regarding South China Sea policy likely motivated the sustained surveillance of its electoral institutions and governing bodies.