Although the report from Palo Alto Networks’ Unit 42 does not explicitly name the APT groups involved, researchers are highly confident that these Cambodian government entities have been targeted and compromised by Chinese APT actors. This confidence is based on the nature of the malicious infrastructure, as well as persistent connections over several months. The Washington Post attributed this cyber activity to China’s Ministry of State Security.
The compromised infrastructure was detected through telemetry monitoring associated with the Chinese APT groups, revealing inbound connections originating from the Cambodian government organizations. These entities affected include National Defense, Election Oversight, Human Rights, National Treasury, Finance, Commerce, Politics, Natural Resources, and Telecommunications. These government organizations house sensitive financial data, citizen information, and classified government documents, making them prime targets for long-term cyber espionage activities, according to researchers. Several pieces of evidence point to the group’s origin in China, including their work schedules aligning with China’s Golden Week holiday.
The campaign is believed to be part of a broader espionage effort, aligning with the geopolitical goals of the Chinese government as it leverages its strong relations with Cambodia to extend its influence and naval operations in the region. Despite Cambodia’s close alliance with China, tensions have arisen, particularly with the recent transition of power from Cambodian dictator Hun Sen to his son, Hun Manet.
In addition to these developments, a recent Chinese film highlighting human-trafficking-related online scams has drawn outrage, prompting a harder stance by the Chinese government against cybercrime groups operating from compounds in Cambodia and Myanmar. Chinese APT groups have a history of launching espionage campaigns in Southeast Asia, targeting both allies and adversaries.