Unit 42 has reported malicious Chinese APT infrastructure masquerading as cloud backup services. Monitoring telemetry associated with two prominent Chinese APT groups, network connections predominately originating from the country of Cambodia were observed, including inbound connections originating from at least 24 Cambodian government organizations.
Assessed with high confidence, these Cambodian government entities were targeted and remain compromised by Chinese APT actors. This assessment is due to the malicious nature and ownership of the infrastructure combined with persistent connections over a period of several months.
Cambodia and China maintain strong diplomatic and economic ties. Since Cambodia signed on to China’s Belt and Road Initiative (BRI) in 2013, the relationship between these two countries has grown steadily.
In recent years, China’s most notable investment has been a project to modernize Cambodia’s Ream Naval Base. This project generated controversy and drew scrutiny from several Western nations due to initial attempts by both countries to conceal the project.
As the project nears completion this year, the naval base is on track to become China’s first overseas outpost in Southeast Asia. As such, this project demonstrates how significant Cambodia is to China’s ambitions of projecting power and expanding naval operations in the region.
Pete Renals, Senior Manager, Unit 42 at Palo Alto Networks stated, “Based on our analysis, this activity is linked to two Chinese groups, APT 40 and APT 41. The United States government has previously attributed APT 40 to the Chinese Ministry of State Security and APT 41 to employees of a Chinese government contractor named Chengdu 404 Network Technology. The certificate being used on the command and control infrastructure has been linked to several APT 41 campaigns over the years, while the domains hosted on the infrastructure and the targeted organisations overlap with historical APT 40 activity in the region. At Palo Alto Networks, we call these groups Elemental Taurus (APT 41) and Jumper Taurus (APT 40). ”
“China has a longstanding history of compromising networks from both allies and adversaries alike. We have seen this type of activity for several years. We believe these types of cyber espionage operations often provide China with the upperhand in diplomatic negotiations and enables them to shape outcomes in their favour.”