Unit 42, a cyber risk intelligence firm, has identified malicious Chinese APT infrastructure masquerading as cloud backup services. According to a report, the detected activity "is believed to be part of a long-term espionage campaign".
Monitoring telemetry associated with two prominent Chinese APT groups, the experts observed network connections predominately originating from the country of Cambodia, including inbound connections originating from at least 24 Cambodian government organizations.
There is "high confidence that these Cambodian government entities were targeted and remain compromised by Chinese APT actors," Unit 42 writes in the report, adding that this assessment is due to the malicious nature and ownership of the infrastructure combined with persistent connections over a period of several months.
Cambodia and China maintain strong diplomatic and economic ties. Since Cambodia signed on to China’s Belt and Road Initiative (BRI) in 2013, the relationship between these two countries has grown steadily.
In recent years, China’s most notable investment has been a project to modernize Cambodia's Ream Naval Base. This project generated controversy and drew scrutiny from several Western nations due to initial attempts by both countries to conceal the project.
As the project nears completion this year, the naval base is on track to become China’s first overseas outpost in Southeast Asia. As such, this project demonstrates how significant Cambodia is to China’s ambitions of projecting power and expanding naval operations in the region.
Affected government agencies include the National Defense, Election Oversight, Human Rights, National Treasury, Finance, Commerce, Politics, Natural Resources and Telecommunications, while these organizations hold vast amount of sensitive financial data, citizen information and classified government documents.
"The observed activity aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong relations with Cambodia to project their power and expand their naval operations in the region," the cyber experts conclude.
They encourage all affected organizations to leverage their findings to inform the deployment of protective measures to defend against this activity, which are also listed in the report.
[Edit typo.]