A recent cybersecurity report reveals ongoing malicious activities attributed to two significant Chinese state-sponsored hacking groups, aimed at infiltrating 24 government entities in Cambodia. This activity is indicative of a long-term espionage operation, as outlined by researchers from Palo Alto Networks’ Unit 42 last week.
The researchers noted that these cyber intrusions align with the geopolitical ambitions of the Chinese government, strategically leveraging its robust ties with Cambodia to enhance its influence and extend naval operations in Southeast Asia.
The organizations targeted by these attacks encompass a diverse array of sectors, including national defense, electoral oversight, human rights, treasury and finance, commerce, politics, natural resources, and telecommunications. This broad spectrum highlights the adversaries’ intent to gather sensitive information across critical areas of the Cambodian government.
Evidence suggests that the cyber adversaries have maintained persistent connections from compromised networks to infrastructure associated with China, often presenting themselves as legitimate cloud backup and storage services over several months. This approach may reflect a deliberate effort by the attackers to remain undetected within routine network traffic.
The correlation to Chinese state-linked actors is reinforced by the timing of the attacks, which predominantly occurred during regular business hours in China. A significant reduction in malicious activities was observed in late September and early October 2023, aligning with China’s Golden Week national holidays, only to resume at typical levels shortly thereafter.
Several Chinese hacking groups, such as Emissary Panda, Gelsemium, Granite Typhoon, Mustang Panda, RedHotel, ToddyCat, and UNC4191, have been implicated in various espionage campaigns targeting both public and private sectors across Asia in recent years. These groups continue to evolve their tactics, often exploiting known vulnerabilities and employing sophisticated malware to execute their objectives.
In a related incident, Elastic Security Labs recently reported an intrusion set identified as REF5961, utilizing various custom backdoors to launch attacks against ASEAN countries, further evidencing China’s expansive and coordinated cyber espionage efforts.
The malware utilized in these operations overlaps with previously reported intrusion sets, illustrating a strategic evolution from general intellectual property theft to a more focused approach aimed at achieving specific strategic and geopolitical interests, especially in relation to China’s Belt and Road Initiative.
Since early 2021, Chinese state-sponsored cyber groups have been linked to the exploitation of numerous zero-day vulnerabilities, impacting well-known systems such as Microsoft Exchange Server and Fortinet FortiOS, indicating a targeted focus on high-value assets and critical infrastructure.
As the threat landscape continues to shift, business owners and cybersecurity professionals are urged to remain vigilant and informed about potential vulnerabilities and evolving adversary tactics as outlined by the MITRE ATT&CK framework. Key areas to consider include initial access, persistence, and privilege escalation techniques commonly employed in these sophisticated attacks.
