A mysterious Chinese cyberespionage group targeted Cambodian politicians, media, and major figures in the opposition ahead of the country's elections on July 29, cybersecurity research firm FireEye said in a report.
The hacking group, called TEMP.Periscope, was connected to an IP address based on Hainan island in southern China. TEMP.Periscope used spear-phishing — in which fraudulent emails are sent from what appears to be a trusted sender to get targeted individuals to reveal information — and other attacks to target several organizations and people.
Among those targeted was Kem Monovithya, who is the daughter of jailed opposition leader Kem Sokha and an official in the country's opposition.
FireEye has tracked TEMP.Periscope since 2013 and said there's strong belief that the group is acting on behalf of the Chinese government. Its targets are similar to past Chinese government hacking attempts, said Ben Read, senior manager of cyberespionage analysis for FireEye.
FireEye said the group had compromised organizations, including Cambodia's National Election Commission, the Interior Ministry, members of parliament who were part of the opposition party, two Cambodian diplomats, and several media outlets.
Kem had no idea that she was being targeted when she opened an email purporting to be from a researcher at LICADHO, one of Cambodia's most prominent human rights groups.
In fact, she opened the email, read that it was asking her to take a survey about political rights in Cambodia for a planned Washington Post article and then promptly forgot to respond or download its attachment. The person emailing her had expressed sympathy about the case of her father, who was arrested on allegations of "treason."
"Normally I get a lot of phishing emails and I immediately know what they are," Kem said. "But this one, it was not. The person followed up for days and days. I actually felt guilty for not responding. It was so personal."
After about a week, Kem opened the email chain again, intending to respond, and then glanced at the sending email address. It looked suspicious.
She called a friend who worked at LICADHO, she said, and asked if Chheng Sophors, the man whose name the email's sender was using, had actually sent the note. As it happened, Sophors was in the office at the time and confirmed that he hadn't.
After that Kem said she even tried writing back to the sender of the email in Khmer language to see if they were from Cambodia. The sender responded immediately in fluent but non-native English, Kem said, urging her to open the document he linked in the email.
Naly Pilorge, director of LICADHO, said no one on the staff had never been used for this kind of attack before, to the organization's knowledge.
"We are concerned even though we were not the target for this incident," she added.
The government of Cambodian Prime Minister Hun Sen dissolved the main opposition party and jailed Kem's father last year, so it's unlikely the elections at the end of this month will be a serious contest.
China is Cambodia's biggest single aid donor and source of foreign investment, and Hun's government has close ties with Beijing.
The link sent to Kem and others downloads malware onto the target's computer, but also downloads a legitimate-looking file or piece of software at the same time to avoid raising the user's suspicions — in this case, it was a document. Once downloaded, the malware tracks the user's activity.
Asked about the issue at a regular briefing on Wednesday, the Ministry of Foreign Affairs of the People's Republic of China said it did not support cyberattacks.
"I hope this alerts the international community to look at Cambodia’s current crisis in a regional context," Kem said. "We can’t afford to be a victim of any particular country’s ambition."