Cybersecurity researchers have discovered what they say is malicious cyber activity orchestrated by two prominent Chinese nation-state hacking groups targeting 24 Cambodian government organizations.
“This activity is believed to be part of a long-term espionage campaign,” researchers at Palo Alto Networks Unit 42 SAYS in a report last week.
“The observed activity is in line with the geopolitical goals of the Chinese government as it seeks to use its strong relationship with Cambodia to project its power and expand its maritime operations in the region.”
Targeted organizations include defense, election management, human rights, national treasury and finance, commerce, politics, natural resources, and telecommunications.
The assessment stems from the continuous nature of inbound network connections originating from these entities to China-linked adversarial infrastructure disguised as cloud backup and storage services over a “period of several months.”
Some of the command-and-control (C2) domain names are listed below –
The tactic is likely an attempt on the part of attackers to fly under the radar and mix in legitimate network traffic.
In addition, the links to China are based on the fact that the actor’s threat activity is observed mainly during regular business hours in China, with a decrease recorded in late September and early October 2023. , together with Golden Week national holidaybefore resuming to regular levels on October 9.
China-nexus hacking groups such as Emissary Panda, Gelsemium, Granite Typhoon, Mustang Panda, RedHotel, ToddyCat, and UNC4191 have launched an array of espionage campaigns targeting the public and private sectors of across Asia in recent months.
Last month, Elastic Security Labs detailed an intrusion set codenamed REF5961 that was found to be using common backdoors such as EAGERBEE, RUDEBIRD, DOWNTOWNand BLOODALCHEMISTRY in its attacks directed against the countries of the Association of Southeast Asian Nations (ASEAN).
The malware families “were discovered to be co-residents with a previously reported intrusion set, REF2924,” the latter of which was speculated to be a group aligned with China due to its use of ShadowPad and tactical overlaps with Winnti and ChamelGang.
The revelations also follow a report from Recorded Future that highlighted a shift in China’s cyber espionage activity, describing it as more mature and coordinated, and with a strong focus on exploiting the known and zero- day errors in public-facing email servers, security, and networks. appliances.
Since the beginning of 2021, Chinese state-sponsored groups have been accused of exploiting 23 zero-day vulnerabilities, including those found in Microsoft Exchange Server, Solarwinds Serv-U, Sophos Firewall, Fortinet FortiOS, Barracuda Email Security Gateway, and Atlassian. Confluence Data Center and Server.
State-sponsored cyber operations are evolving “from the broad theft of intellectual property to a more targeted approach that supports specific strategic, economic, and geopolitical objectives, such as related of the Belt and Road Initiative and critical technologies,” the company SAYS.