Cyber Incident Victim: Cambodia National Rescue Party
Date:
Jun 2018
Location:
Cambodia
Summary
A U.S. cybersecurity firm identified a China-linked cyber espionage group targeting Cambodia's electoral body, government agencies, opposition members including the dissolved Cambodia National Rescue Party, NGOs, and the ruling party ahead of national elections. The campaign involved data theft from multiple stakeholders and website defacement of a local rights group, disrupting its operations. The espionage activity aimed to gather intelligence amid heightened political tensions following the opposition party's dissolution and a broader crackdown on dissent, raising concerns about potential election interference. China denied involvement, while Cambodian officials acknowledged limited breaches but downplayed the severity of compromised information. The incident was initially flagged by a family member of the opposition leader after detecting suspicious phishing attempts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-2018, ahead of Cambodia’s July 29 general election, U.S. cybersecurity firm FireEye identified a cyber espionage campaign targeting multiple Cambodian entities, including the dissolved Cambodia National Rescue Party (CNRP). The operation, attributed to the group TEMP.Periscope, compromised government agencies such as the National Election Committee (NEC) and the ministries of foreign affairs, economics and finance, and interior. Opposition members and NGOs, including rights groups Adhoc and Licadho, were also affected. FireEye reported data theft from both the CNRP and Prime Minister Hun Sen’s ruling Cambodian People’s Party (CPP), characterizing the activity as espionage aimed at gathering political intelligence. The firm noted this marked the first documented instance of a China-linked group targeting Cambodia’s government, expressing high confidence in TEMP.Periscope’s affiliation with the Chinese state. FireEye’s investigation began in June 2018 after CNRP leader Kem Sokha’s U.S.-based daughter, Kem Monovithya, reported receiving suspicious emails impersonating a Cambodian rights investigator.
The attacks unfolded amid Cambodia’s heightened political tensions following the November 2017 dissolution of the CNRP by the Supreme Court over alleged coup plots. On July 19, 2018, Adhoc confirmed its website was hacked and defaced with a false maintenance message by an actor using the alias “Turksiberkarargh,” forcing the NGO to publicly disavow any fraudulent content. NEC spokesman Hang Puthea acknowledged their website’s compromise but downplayed risks to election integrity, while Council of Ministers spokesman Phay Siphan denied awareness of state institution breaches. NGOs expressed alarm over the targeting of civil society groups preceding the election. China’s Foreign Ministry rejected allegations of involvement. FireEye suggested the broad data collection could indicate intentions beyond espionage, potentially to influence Cambodia’s electoral outcome following China’s perceived strategic concerns after Malaysia’s unexpected opposition victory earlier that year. The incident occurred alongside Hun Sen’s broader crackdown on dissent, including Kem Sokha’s arrest and media restrictions.