Cybersecurity researchers have discovered what they say is malicious cyber activity orchestrated by two prominent Chinese nation-state hacking groups targeting 24 Cambodian government organizations.
"This activity is believed to be part of a long-term espionage campaign," Palo Alto Networks Unit 42 researchers said in a report last week.
"The observed activity aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong relations with Cambodia to project their power and expand their naval operations in the region."
Targeted organizations span defense, election oversight, human rights, national treasury and finance, commerce, politics, natural resources, and telecommunications sectors.
The assessment stems from the persistent nature of inbound network connections originating from these entities to a China-linked adversarial infrastructure that masquerades as cloud backup and storage services over a "period of several months."
Some of the command-and-control (C2) domain names are listed below -
- api.infinitycloud[.]info
- connect.infinitycloud[.]info
- connect.infinitybackup[.]net
- file.wonderbackup[.]com
- login.wonderbackup[.]com
- update.wonderbackup[.]com
The tactic is likely an attempt on the part of the attackers to fly under the radar and blend in with legitimate network traffic.
What's more, the links to China are based on the fact that the threat actor's activity has been observed primarily during regular business hours in the country, with a drop recorded in late September and early October 2023, coinciding with the Golden Week national holidays, before resuming to regular levels on October 9.
China-nexus hacking groups such as Emissary Panda, Gelsemium, Granite Typhoon, Mustang Panda, RedHotel, ToddyCat, and UNC4191 have launched an array of espionage campaigns targeting public- and private sectors across Asia over the past year.
Last month, Elastic Security Labs detailed an intrusion set codenamed REF5961 that was found leveraging custom backdoors such as EAGERBEE, RUDEBIRD, DOWNTOWN, and BLOODALCHEMY in its attacks directed against the Association of Southeast Asian Nations (ASEAN) countries.
The malware families "were discovered to be co-residents with a previously reported intrusion set, REF2924," the latter of which is assessed to be a China-aligned group owing to its use of ShadowPad and tactical overlaps with Winnti and ChamelGang.
The disclosures also follow a report from Recorded Future highlighting the shift in Chinese cyber espionage activity, describing it as more mature and coordinated, and with a strong focus on exploiting known and zero-day flaws in public-facing email servers, security, and network appliances.
Since the beginning of 2021, Chinese state-sponsored groups have been attributed to the exploitation of 23 zero-day vulnerabilities, including those identified in Microsoft Exchange Server, Solarwinds Serv-U, Sophos Firewall, Fortinet FortiOS, Barracuda Email Security Gateway, and Atlassian Confluence Data Center and Server.
The state-sponsored cyber operations have evolved "from broad intellectual property theft to a more targeted approach supporting specific strategic, economic, and geopolitical goals, such as those related to the Belt and Road Initiative and critical technologies," the company said.
