The emails were believable. An interview request for a member of the opposition. An article sent to a government official. A conference invitation for a journalist. But each one a hacking attempt designed to lure the recipient.
Over the past few months, numerous rights groups, reporters and Cambodia observers have reported seeing a large spike in phishing messages and hacking attempts. Now a report from a leading U.S. cybersecurity firm suggests such cases may be linked to a large scale operation from a Chinese cyber espionage group seeking to monitor the country’s upcoming and contentious July 29 national elections.
In a report released Wednesday, FireEye details how a well-known Chinese hacking group called TEMP.Periscope targeted opposition figures, government departments, rights defenders and media outlets. Among those compromised by the attacks was the Cambodian National Election Commission, Interior Ministry, diplomats and opposition lawmakers. In the past, the group has gone after corporations, academics and defense contractors in the U.S., Europe, Taiwan and Hong Kong. FireEye, which has been studying TEMP.Periscope since 2013, said there can be little doubt they are working on behalf of the Chinese government.
“The evidence we have gets us as far as information gathering, it definitely shows that China is very interested in the upcoming elections,” Benjamin Read, Senior Manager for Cyber Espionage Analysis at FireEye, tells TIME.
China is a close ally of Cambodia, and has invested billions in infrastructure, development, military support and aid. “Any upheaval in Cambodia would be an issue for China considering their close partnership,” says Read, pointing to the recent election in Malaysia — in which the surprise outcome has caused a headache for Beijing with billions of dollars in infrastructure and construction contracts now being reevaluated.
Such an outcome is unlikely in Cambodia, where the government last year dissolved its only viable political competition, the Cambodia National Rescue Party, and imprisoned its leader Kem Sokha. But the surveillance nevertheless highlights China’s deep interest in the inner workings of both friends and foes.
“This incident is the most recent example of aggressive nation-state collection on election processes worldwide. Though election related activity has only been uncovered in Southeast Asia, it would be a mistake to assume these threats are not relevant elsewhere,” the report notes.
Calls and emails requesting comment from the election commission and several ministries went unanswered. Speaking at a EuroCham workshop on cybersecurity last month, Ou Phannarith, director of ICT security at the Ministry of Posts and Telecommunications said that while the provenance of cyberattacks could be difficult to determine, they were a common occurrence exacerbated by lax standards and understanding of security.
“We notify all government agencies to watch for, to look for all these types of attacks and be prepared to mitigate such kind of attacks if something happens. For advisory, we have the national CERT [Computer Emergency Response Team] of Cambodia, we release advisories to our website to ask everyone to fix vulnerabilities.”
Prominent Cambodian human rights group Licadho is named in the report as being targeted in one such attack. Naly Pilorge, director of Licadho, says the organization has dealt with more cyber attacks “in the past six months than in the past 10 years.”
“Part of it might be our capacity to recognize digital threats, but there is definitely an aspect where the attacks are more sophisticated, less generic and more consistent,” she says.
Among those sophisticated attacks was an email purportedly sent to CNRP spokesperson Kem Monovithya, who is also the daughter of Kem Sokha. The email, which was one of the TEMP.Periscope lures, purported to be from an employee at Licadho and contained a believable email address and request.
“The name [of the purported staffer] was correct, the title was correct but the phone number was incorrect and the person doesn’t write like that,” says Pilorge. “There were a whole slew of emails, six or seven, and always the same individual impersonating a Licadho [staffer], asking all kinds of things — open this attachment, do this do that.”
“I was shocked, there were so many. And how sophisticated it was. They had our real logo, almost everything.”
The Chinese attacks come on the heels of a Vietnamese state-linked cyber attack on Licadho in May, run through the website of local paper the Phnom Penh Post. The same Vietnamese group also sent a spear phishing email to dozens of journalists, diplomats and academics while pretending to be a staffer with Cambodia’s National Election Commission, according to FireEye.
Simultaneously, the Cambodian government has vowed harsher surveillance of online activity, and has already arrested or threatened several people for posting social media comments critical of the government.
For rights monitors and journalists handling sensitive information, the stakes of such attacks are high. “We have confidential information of victims and people that have reported information to us. They depend that we keep it that information secure,” says Licadho’s Pilorge.
Nop Vy, media director at the Cambodian Center for Independent Media, which also runs Voice of Democracy, a popular independent news outlet, said he is concerned hackers could monitor private communication and use it as evidence against the organization and its journalists, or that they might take over the websites and post fake information.
“They can spoil an article of ours and make a problem with our image and also maybe it [can be used as] evidence, that they can use to accuse us as well. The court may not understand about the hacking but they think… they have evidence from the [fake] article.”
CENTRAL, a Cambodian labor rights organization that has trained hundreds of unionists, youth groups, rights defenders and journalists in digital security says they expect more attacks in the run up to elections later this month. Ngeth Moses, head of CENTRAL’s media unit says his biggest fear is that social media accounts of prominent individuals could become weaponized, used to spread fake news or even falsely encourage followers to protest, for instance.
“Imagine if [opposition leader] Sam Rainsy’s Facebook page got hacked. And they say ‘please do this or do that.’ Or what if they do what they did in U.S. election? They make the Facebook account promotion and target a [party] supporter with false information to make chaos?” he says. “What if those hackers are inside the accounts now and they’re not doing anything, just waiting until the right time?”