Fireeye: The Chinese state-sponsored hackers of TEMP.Periscope target Cambodia ahead of July 2018 general elections
The Chinese state-sponsored hackers of TEMP.Periscope target Cambodia ahead of July 2018 elections. It has been discovered by cyber security experts of Fireeye. The company examinated a range of the cyber espionage group, “revealing extensive interest in Cambodia’s politics, with active compromises of multiple Cambodian entities related to the country’s electoral system.” the Fireeye blog reports “This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures. This campaign occurs in the run up to the country’s July 29, 2018, general elections. TEMP.Periscope used the same infrastructure for a range of activity against other more traditional targets, including the defense industrial base in the United States and a chemical company based in Europe. Our previous blog post focused on the group’s targeting of engineering and maritime entities in the Usa”.
The cyber espionage group maintains an extensive intrusion architecture and wide array of malicious tools, and targets a large victim set
This activity indicates that TEMP.Periscope “maintains an extensive intrusion architecture and wide array of malicious tools, and targets a large victim set, which is in line with typical Chinese-based APT efforts. We expect this activity to provide the Chinese government with widespread visibility into Cambodian elections and government operations”. Additionally, the cyber spies are “clearly able to run several large-scale intrusions concurrently across a wide range of victim types. Our analysis also strengthened our overall attribution of this group. We observed the toolsets we previously attributed” to the state-sponsored hackers, “their observed targets are in line with past group efforts and also highly similar to known Chinese APT efforts, and we identified an IP address originating in Hainan, China that was used to remotely access and administer a command and control (C2) server”.
Who are the TEMP.Periscope cyber spies
The TEMP.Periscope cyber espionage group is active since at least 2013. “It has primarily focused on maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities. The group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. TEMP.Periscope overlaps in targeting, as well as tactics, techniques, and procedures (TTPs), with TEMP.Jumper, a group that also overlaps significantly with public reporting by Proofpoint and F-Secure on ‘NanHaiShu.’”
The cyber warfare attacks are the most recent example of aggressive nation-state intelligence collection on election processes worldwide
The activity uncovered offers “new insight into TEMP.Periscope’s activity. We were previously aware of this actor’s interest in maritime affairs – explain Fireeye cyber security experts – but this compromise gives additional indications that it will target the political system of strategically important countries. Notably, Cambodia has served as a reliable supporter of China’s South China Sea position in international forums such as ASEAN and is an important partner. While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections. The targeting of the election commission is particularly significant, given the critical role it plays in facilitating voting. There is not yet enough information to determine why the organization was compromised – simply gathering intelligence or as part of a more complex operation. Regardless, this incident is the most recent example of aggressive nation-state intelligence collection on election processes worldwide”.