CCP APT 40/41 (Chengdu404) Targets Cambodian Government, Naval Expansion Confirmed
The CCP's influence and control over Ream Naval Base construction confirmed via satellite imagery & influence within the Cambodian establishment
PHNOMH PENH, CAMBODIA: Satellite imagery taken by BlackSky, a U.S. commercial imagery company that has been surveilling construction at Ream naval base in Cambodia, noted “the rapid pace of development of a large Chinese military naval station from August 2021, as recent as October 2023”. The project has been reportedly been nearing completion to the ire of Western authorities, who criticize the clandestine nature of its constrution. It also mirrors the CCP naval base being build in Djibouti to bizarrely schematics.
“There is a near-exact similarity between an angled deep-water pier located on the western shore of the Ream base and another military pier at the People’s Liberation Army Support Base in Djibouti”, according to Palo Alto Network’s Unit 42 senior manager Pete Renals to CNN.
“Both main piers are 363 meters long and large enough to support any ship in China’s naval arsenal, including the new 300-meter-long Type 003 Fujian aircraft carrier,” said Craig Singleton, China Program deputy director and senior fellow at the Foundation for Defense of Democracies
.
Unit 42 has also identified malicious Chinese APT infrastructure masquerading as cloud backup services targeting the base. Monitoring telemetry associated with two prominent Chinese APT groups, they observed network connections originating from the country of Cambodia, including inbound connections originating from at least 24 Cambodian government organizations
Several subdomains hosted front-facing cloud back-up services, allowing the hackers to disguise the unusual amounts of traffic that come from data exfiltration.
The Cambodian government organizations were seen communicating with this infrastructure in September and October. The government agencies affected include National Defense, Election Oversight, Human Rights, National Treasury, Finance, Commerce, Politics, Natural Resources and Telecommunications
.
FINANCIAL REVIEW:
Renals, senior manager of Unit 42, said that based on the firm’s analysis, the activity was linked to two Chinese groups, identified as APT 40 and APT 41.
He said the US government had previously attributed APT 40 to the Chinese Ministry of State Security, Beijing’s main spy agency and secret police force.
APT 41 has been attributed to employees of a Chinese government contractor named Chengdu 404 Network Technology, which has also been sanctioned by the US State Department for cyber crime. (InfiniteEyes also wrote an extensive recent report on Chengdu404 and their global impact)
“China has a long-standing history of compromising networks from both allies and adversaries alike,” Mr. Renals said.
These actors have managed to exfiltrate data from organisations linked to Cambodia’s national defence, elections, human rights, treasury and commerce, politics, natural resources and telecommunications. This data likely includes financial information as well as identity information.
This wasn’t the first time APT40 targeted the Cambodian government. Analysis of command and control logs on the servers revealed compromises of multiple Cambodian entities, primarily those relating to historical 2018 elections. In addition, a separate spear phishing email analyzed by FireEye indicates concurrent targeting of opposition figures within Cambodia by TEMP.Periscope.
Analysis indicated that the following Cambodian government organizations and individuals were compromised by APT40 aka TEMP.Periscope:
National Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation, Cambodian Senate, Ministry of Economics and Finance
Member of Parliament representing Cambodia National Rescue Party
Multiple Cambodians advocating human rights and democracy who have written critically of the current ruling party
Two Cambodian diplomats serving overseas
Multiple Cambodian media entities
While Cambodia is one of China’s closest allies, a significant part of China’s Belt and Road Initiative (BRI), hosting the controversial Ream Naval Base — .
there have been signs of minor fraying between the two countries since Hun Manet, son of Cambodian dictator Hun Sen, was handed the keys to the country after Sen ended his nearly 40-year rule.
A recent Chinese film has also put a spotlight on the scourge of human-trafficking-backed online scams in the region. This has drawn outrage among Chinese citizens and has forced the Chinese government to take a harder stance against cybercrime groups. Many of these online scams are run out of Cambodia and Myanmar, most of which target the elderly in China.
China has been increasing cyber-espionage efforts not only as a means to stay strategically and technologically effective in the military sphere, but also allows stolen innovation to compensate for its increasingly suffering residential and manufacturing sectors. Entities and individuals should use advanced URL and DNS filtering, and ensure firewall and antivirus programs are regularly updated.