Cyber Incident Victim: Ministry of the Interior (Cambodia)
Date:
Apr 2017
Location:
Cambodia
Summary
A Chinese state-sponsored espionage group known as TEMP.Periscope compromised multiple Cambodian government entities, including the Ministry of the Interior, as part of a broader campaign targeting the country's electoral system and political opposition ahead of national elections. The attackers employed spear-phishing emails delivering malware such as AIRBREAK, EVILTECH, and DADBOD to infiltrate systems, enabling credential theft, remote access, and surveillance of human rights advocates, diplomats, and media organizations. Technical evidence linked the operations to infrastructure in Hainan, China, with malware command-and-control servers revealing concurrent targeting of global defense, aviation, and technology sectors. The compromise provided extensive visibility into Cambodia's political operations and election mechanisms, aligning with China's strategic regional interests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between April 2017 and at least July 2018, the Chinese state-sponsored cyber espionage group TEMP.Periscope conducted a sustained campaign targeting Cambodian political entities, including the Ministry of the Interior, National Election Commission, Ministry of Foreign Affairs and International Cooperation, Cambodian Senate, and Ministry of Economics and Finance. The group employed spear-phishing emails delivering AIRBREAK malware, using decoy documents impersonating LICADHO, a Cambodian human rights NGO. Additional infrastructure leveraged domains like scsnewstoday[.]com and partyforumseasia[.]com for command-and-control (C2) operations, with the latter explicitly referencing the Cambodian National Rescue Party (CNRP). TEMP.Periscope expanded beyond government targets to compromise opposition figures, including CNRP Member of Parliament members, overseas Cambodian diplomats, human rights advocates critical of the ruling party, and multiple media organizations. This activity coincided with Cambodia’s July 2018 general elections, suggesting intent to monitor political developments in a strategically aligned nation.
Technical analysis of three open-indexed C2 servers revealed TEMP.Periscope’s operational breadth, showing victim check-ins from global defense, aviation, chemical, education, and technology sectors alongside Cambodian targets. The group deployed both established malware (AIRBREAK, MURKYTOP, HOMEFRY) and new tools like the JavaScript backdoor EVILTECH and credential theft tool DADBOD. Server logs confirmed actor logins from Hainan, China (IP 112.66.188.28), with Chinese-language system settings reinforcing attribution. FireEye identified victims through server analysis and provided notifications. A SCANBOX server (mlcdailynews[.]com) hosted repurposed articles on U.S.-Asia geopolitics and Russia-NATO affairs, likely used as decoys for additional compromises. The campaign demonstrated TEMP.Periscope’s shift from maritime-sector espionage to direct election interference, leveraging Cambodia’s strategic importance to Chinese regional interests. No specific mitigation actions by Cambodian authorities were detailed in available reporting.