Chinese Hackers Initiate Secret Espionage Assaults on 24 Cambodian Entities

Cybersecurity experts have uncovered a series of cyberattacks targeting 24 Cambodian government entities, suspected to be part of a long-term espionage campaign by two prominent Chinese state-sponsored hacking groups. Researchers at Palo Alto Networks' Unit 42 believe these activities align with China's geopolitical ambitions, particularly its interest in expanding naval operations through strong ties with Cambodia.

The targeted sectors are diverse, encompassing defense, election oversight, human rights, treasury and finance, commerce, politics, natural resources, and telecommunications. This broad scope indicates the strategic importance of the campaign.

The researchers identified persistent network connections from these Cambodian organizations to a deceptive Chinese-linked infrastructure. This infrastructure, disguised as cloud backup and storage services, engaged in sustained communication over several months. The use of such masquerading tactics is a deliberate attempt by the attackers to blend into regular network traffic and avoid detection.

Key indicators of the malicious activity include several command-and-control (C2) domain names, such as:

- api.infinitycloud[.]info
- connect.infinitycloud[.]info
- connect.infinitybackup[.]net
- file.wonderbackup[.]com
- login.wonderbackup[.]com
- update.wonderbackup[.]com

These domain names suggest a strategic approach to appear legitimate and unobtrusive.

Further solidifying the connection to China, the researchers observed that the cyber activity was primarily active during standard business hours in China. Notably, there was a noticeable decrease in late September and early October 2023, aligning with China's Golden Week holidays. Activities resumed to typical levels on October 9, reinforcing the hypothesis of Chinese origin.

The revelation of these targeted cyber operations underscores the intricate and covert nature of state-sponsored cyber espionage, particularly in regions of strategic geopolitical interest.

Recent months have seen a surge in espionage activities by China-linked hacking groups targeting various sectors across Asia. Groups like Emissary Panda, Gelsemium, Granite Typhoon, Mustang Panda, RedHotel, ToddyCat, and UNC4191 have been actively involved in these campaigns.

Elastic Security Labs, last month, uncovered an operation dubbed REF5961, which deployed custom backdoors like EAGERBEE, RUDEBIRD, DOWNTOWN, and BLOODALCHEMY. These attacks primarily targeted countries in the Association of Southeast Asian Nations (ASEAN). Intriguingly, these malware families were found alongside another intrusion set, REF2924, known for its use of ShadowPad and operational similarities to Winnti and ChamelGang - all suggesting alignment with Chinese state-sponsored efforts.

Recorded Future's recent report further highlights the evolving nature of Chinese cyber espionage. It points out a shift towards more sophisticated, coordinated tactics, with a particular emphasis on exploiting vulnerabilities in publicly accessible email servers and security/network appliances.

Since early 2021, Chinese state-backed groups have been linked to exploiting at least 23 zero-day vulnerabilities. These include flaws in critical systems like Microsoft Exchange Server, Solarwinds Serv-U, Sophos Firewall, Fortinet FortiOS, Barracuda Email Security Gateway, and Atlassian Confluence Data Center and Server.

These state-sponsored cyber operations have notably transitioned from widespread intellectual property theft to a more focused approach. This newer strategy appears to support specific strategic, economic, and geopolitical objectives, aligning with initiatives like the Belt and Road Initiative and the development of critical technologies. This shift underscores a deliberate and strategic recalibration in China’s cyber espionage activities.