China-linked TEMP.Periscope targets Cambodia before upcoming general elections

• The cyberespionage group has compromised multiple entities linked to the Cambodian electoral system.
• TEMP.Periscope has previously targeted government, maritime, academic and engineering industries across the globe.

A Chinese cyberespionage group called TEMP.Periscope has been found targeting Cambodia ahead of the nation’s upcoming general elections.

The hacker group targeted multiple entities connected to the Cambodian electoral system, including government organizations charged with overseeing the elections and opposition figures. Cambodia is currently gearing up for general elections, which is slated to take place on July 29.

Brief history of TEMP.Periscope

The hacker group has been active since 2013. Previous campaigns reveal that the group has targeted various sectors, including the maritime, engineering, chemical, academic, defense, transportation and manufacturing industries across the globe. The hackers have also previously targeted entities in Europe, the US, UK, Germany, Switzerland and more.

The cyberespionage group has also gone after the technology, media and healthcare industry. According to FireEye researchers, who discovered TEMP.Periscope’s recent campaign, the group’s TTPs and targeting overlaps with that of another threat group called TEMP.Jumper. This group’s activities in turn overlap with another hacker group called NanHaiShu.

“Overall, this activity indicates that the group maintains an extensive intrusion architecture and wide array of malicious tools, and targets a large victim set, which is in line with typical Chinese-based APT efforts,” FireEye researchers wrote in a blog. “We expect this activity to provide the Chinese government with widespread visibility into Cambodian elections and government operations. Additionally, this group is clearly able to run several large-scale intrusions concurrently across a wide range of victim types.”

TEMP.Periscope’s targets

FireEye researchers discovered that TEMP.Periscope had targeted the National Election Commission, the Ministry of the Interior, the Ministry of Foreign Affairs and International Cooperation, the Cambodian Senate, the Ministry of Economics and Finance.

The hackers also targeted a member of the Parliament representing the Cambodia National Rescue Party and two diplomats serving overseas. Apart from political entities, the hackers also targeted multiple local human rights activists and dissidents critical of the current ruling party and media organizations.

“TEMP.Periscope sent a spear phish with AIRBREAK malware to Monovithya Kem, Deputy Director-General, Public Affairs, Cambodia National Rescue Party (CNRP), and the daughter of (imprisoned) Cambodian opposition party leader Kem Sokha,” FireEye researchers said. “The decoy document purports to come from LICADHO (a non-governmental organization [NGO] in Cambodia established in 1992 to promote human rights).”

Modus Operandi

TEMP.Periscope was found using previously known malware strains including AirBreak, HomeFry, MurkyTop, ScanBox and more. The group also appears to have developed two new strains of malware dubbed DADBOD and EVILTECH.

FireEye researchers discovered that the malicious infrastructure TEMP.Periscope used for this campaign was the same the group used to target private organizations in Europe, Asia and North America.

Meanwhile a 2017 MurkyTop malware sample indicated that the group likely compromised the networks of an organization in the US defence industrial base industry, connected to maritime research. The group also targeted a European company with a presence in Asia, indicating that global businesses with links to Asia are also likely under threat.

“Filenames for AIRBREAK downloaders found on the open indexed sites also suggest the ongoing targeting of interests associated with Asian geopolitics,” FireEye researchers said. “In addition, analysis of AIRBREAK downloader sites revealed a related server that underscores TEMP.Periscope's interest in Cambodian politics.”

Why Cambodia?

China-linked hacker groups are known to target US and Southeast Asian entities as the geopolitical scene in these areas is of interest to Beijing. TEMP.Periscope’s campaign is also in line with Chinese APT efforts. Cambodia’s current government has been a supporter of China’s stance on issues pertaining to the South China Sea.

Cambodia is considered as an authoritarian state. However, the recent surprising overthrowing of Malaysia’s ruling party hints at a shifting tide in politics in authoritarian nations. The turn of events in Malaysia may have prompted China to keep a closer eye on Cambodia’s upcoming elections.

“The targeting of the election commission is particularly significant, given the critical role it plays in facilitating voting. There is not yet enough information to determine why the organization was compromised – simply gathering intelligence or as part of a more complex operation,” FireEye researchers added. “We expect TEMP.Periscope to continue targeting a wide range of government and military agencies, international organizations, and private industry.”