Cyber Incident Victim: Cambodian Ministry of Foreign Affairs and International Cooperation
Date:
Apr 2017
Location:
Cambodia
Summary
A Chinese state-sponsored espionage group known as TEMP.Periscope compromised multiple Cambodian government entities, including the Ministry of Foreign Affairs and International Cooperation, through spear-phishing campaigns deploying malware such as AIRBREAK and SCANBOX. The operation targeted electoral bodies, opposition figures, human rights advocates, and media organizations, aiming to gain extensive visibility into Cambodia's political systems and elections. The attackers utilized infrastructure linked to Hainan, China, and employed a suite of tools including credential stealers and remote access trojans to exfiltrate data from victims across defense, aviation, technology, and government sectors globally. This activity aligned with China's strategic interests, particularly given Cambodia's geopolitical significance in regional disputes like the South China Sea.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Chinese espionage group TEMP.Periscope compromised Cambodia's Ministry of Foreign Affairs and International Cooperation as part of a broader campaign targeting Cambodian political entities ahead of the country's July 2018 general elections. Activity on servers linked to the group revealed intrusions dating to at least April 2017, with sustained operations against Cambodian government systems through mid-2018. The attackers employed spear phishing emails delivering AIRBREAK malware, including a decoy document impersonating a Cambodian human rights NGO sent to opposition figure Monovithya Kem. Additional malware families deployed included EVILTECH, DADBOD, MURKYTOP, HOMEFRY, HTran, and SCANBOX, hosted on domains such as scsnewstoday[.]com and partyforumseasia[.]com. Command and control infrastructure analysis showed actor logins from an IP address in Hainan, China (112.66.188.28), with server administration conducted from systems using Chinese language settings.
The compromise granted TEMP.Periscope access to communications and operational data within the Ministry of Foreign Affairs alongside other high-value targets including Cambodia's National Election Commission, Senate, and Ministry of Economics and Finance. FireEye's forensic review of three open-indexed servers controlled by the group identified victim connections from government, defense, education, and technology sectors across multiple regions. Data exfiltration impacted Cambodian diplomats stationed abroad, opposition politicians, human rights advocates, and media organizations. FireEye notified identifiable victims but no specific remediation actions by Cambodian authorities were detailed in available records. The intrusion provided persistent visibility into Cambodia's electoral processes and foreign policy apparatus during a period of strategic importance to China, given Cambodia's alignment on South China Sea disputes. Technical evidence confirmed the group's reuse of infrastructure targeting global maritime, defense, and chemical industry entities concurrently with political operations.