Share this article on:
Fake cloud services observed targeting Cambodian defence, election, and treasury organisations.
Security researchers at Palo Alto have spotted espionage activity targeting Cambodian government agencies, with a Chinese threat actor the likely culprit.
Palo Alto’s Unit 42 spotted the activity via an SSL certificate known to be linked to malicious activity. This certificate is being used on six IP addresses, all hosting apparently legitimate cloud backup services.
“Based on their names, a number of these domains appear to masquerade as cloud storage services,” Unit 42 said in a blog post. “This disguise likely lends a sense of legitimacy to the unusual amount of traffic during times of high activity levels from the actor, such as data exfiltration from the victim network.”
The infrastructure is also running a honeypot to cover its activity and is actively blocking scans from large tech companies and known Palo Alto IP ranges specifically – likely in an attempt to hide its activity.
Unit 42 has seen 24 discrete Cambodian government agencies communicating with the malicious infrastructure, including sectors such as defence, finance, telecommunications, and election oversight. Taken together, these agencies “hold vast amounts of sensitive data”, according to Unit 42, including classified information, personal data, and financial information.
“We assess that these organisations are likely the targets of long-term cyber espionage activities that have leveraged this infrastructure for persistent access to government networks of interest,” Unit 42 said.
The espionage activity itself appears to be linked to two known Chinese threat actors, and the timing of their activity is also suggestive of a link to China. Much of the activity appears to happen during the working week, and some gaps in activity match up to Chinese holidays.
Geopolitically, Cambodia is heavily invested in China’s Belt and Road Initiative, and China has been assisting Cambodia in a large naval modernisation project.
“The observed activity aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong relations with Cambodia to project their power and expand their naval operations in the region,” Unit 42 concluded.
“We encourage all organisations to leverage our findings to inform the deployment of protective measures to defend against this activity.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.