Unit 42 Reveals Intricate Chinese APT Attack on Cambodia's Government

As many as 24 government entities in Cambodia have fallen victim to a sophisticated campaign orchestrated by Chinese Advanced Persistent Threat (APT) groups. Unit 42 researchers unearthed this extensive operation while analyzing telemetry data, which revealed a consistent surge in network connections originating from Cambodia to infrastructure controlled by the APTs. Victims were found to have been lured to the APT-controlled infrastructure under the pretense they were cloud backup services. Unit 42 reveals that six domains share a common malicious SSL certificate. The impacted organizations encompass various critical sectors, including national defense, election oversight, human rights, national treasury, commerce, politics, natural resources, and telecommunications. These Cambodian government entities are particularly enticing targets due to the wealth of sensitive information they possess, ranging from financial data to citizens' personal information and classified government records.

The threat actors appear to employ a cover technique using a honeypot on port 2222 and implemented IP filtering to minimize detection risks blocking known IP ranges of security companies. Additionally, the actors exhibit a dynamic pattern in port activity, with ports opening and closing in line with their operational hours. Notably, Unit 42 observed peak activity from the threat actors occurring between 08:30 and 17:30 UTC +08:00 (China Standard Time), which closely aligns with Cambodia's typical business hours set at UTC +07:00. Further confirmation of the attackers operating from within China was established by the noticeable decrease in their activity between September 29th and October 8th, 2023, coinciding with China's national holidays, notably, Golden Week.

The significance of this campaign becomes evident in the context of China's expanding influence in Cambodia, particularly through the modernization of the Ream Naval Base, which is poised to become China's first overseas outpost in Southeast Asia. The timing of the actor's activity also reflects China's interests, aligning with their diplomatic and economic ties with Cambodia.