Chinese Hackers Back Beijing’s Authoritarian Pals

Cambodian dissidents come under cyberattack in run-up to sham election.

A supporter of the opposition Cambodia National Rescue Party (CNRP) shouts slogans during a demonstration in Phnom Penh on December 17, 2013. (Tang Cchin Sothy/AFP/Getty Images)
A supporter of the opposition Cambodia National Rescue Party (CNRP) shouts slogans during a demonstration in Phnom Penh on December 17, 2013. (Tang Cchin Sothy/AFP/Getty Images)

In June, Kem Monovithya, the daughter of jailed Cambodian opposition leader Kem Sokha, received an email. Purportedly from a senior investigator at the Cambodian League for the Promotion and Defense of Human Rights, it requested her help in documenting her father’s ongoing trial in Phnom Penh, where he’s been charged with conspiring with the United States. The Washington-based Monovithya, who says she “can’t go back” to Cambodia, is an official in her father’s Cambodia National Rescue Party (CNRP), which was banned in November 2017.

After several follow-up emails asking her to complete a questionnaire, Monovithya noticed the email came from an address not linked to the human rights organization’s website. When the real investigator confirmed he knew nothing about it, she forwarded the email to a contact, who in turn brought it to global cybersecurity firm FireEye for analysis.

The team found that malware embedded in the decoy questionnaire originated from a secretive Chinese hacking group dubbed TEMP.Periscope. Further analysis revealed that the group had also targeted Cambodia’s Foreign and Interior Ministries, two overseas Cambodian diplomats, several news outlets, and the National Election Committee. The hackers had spread their net across Cambodia’s political spectrum, from government officials to exiled opposition.

The move is a threat to the Cambodian opposition—and a sign that Beijing is getting more willing to unleash its capabilities on behalf of its authoritarian allies such as Cambodian Prime Minister Hun Sen.

Tim Wellsmore, FireEye’s director of government security programs for the Asia-Pacific region, has tracked TEMP.Periscope’s activities since 2013 and is confident the activities are directed by the Chinese government. Small “leaks” in the code reveal that the hackers are based in China, operating on Chinese-language computers, and the group’s targets have always closely reflected the Chinese government’s interests. Tellingly, they have never targeted victims for financial gain.

“We’ve certainly only seen activity that purely aligns with Chinese national interests,” Wellsmore said, pointing to a long history of maritime-related targets in particular connected to China’s increasingly aggressive stance in the South China Sea. “Nothing here suggests that these guys are guns for hire that would then go and do other contract work.”

FireEye detected logins from an IP address in Hainan, China, used to remotely access servers and interact with malware on victims’ computers. It’s not the first time state-sponsored hacks have been traced back to the island, which houses China’s most strategically important naval base for the South China Sea, as well as the Lingshui intelligence base and the notorious military hacking group the 3PLA.

In 2009, researchers at the Citizen Lab and the SecDev Group traced a global cyberspying campaign known as GhostNet, which primarily targeted Tibetan exiles and foreign ministries, back to IP addresses and a government-owned server on Hainan. Shortly after the report was released, the GhostNet infrastructure was dismantled. TEMP.Periscope surfaced around four years later, although it’s unclear if this campaign is operated by the same actors.

This is the first time the group has been detected targeting political figures or press, representing a “significant step up” in their activities, Wellsmore said. While it’s outside TEMP.Periscope’s mostly maritime remit, gathering comprehensive intelligence on the imminent Cambodian election falls firmly within China’s national interests—as does maintaining the status quo.

China is responsible for 70 percent of total industrial investment in Cambodia and has extensive economic interests to protect in the country. Hun Sen, Asia’s longest-serving head of state, is highly sympathetic to and protective of Chinese interests. Beijing doesn’t want that to change. In addition to loans and extensive infrastructure investment in Cambodia as a whole, Beijing has been generous in providing support that serves to strengthen Hun Sen’s position. Unlike the Western donors whom the prime minister previously relied on for financial support, Chinese money comes with no strings attached regarding human rights or democratic standards.

This is great news for Hun Sen, who was spooked by a close (and vehemently contested) call in the 2013 election and has been itching for the chance to shut down opposition without facing consequences. The new line of credit allowed him to outlaw the CNRP, close newspapers and radio stations, and introduce sweeping censorship laws while cutting ties with former donors, abruptly canceling military exercises with the United States, expelling the U.S. Agency for International Development-backed National Democratic Institute, and insisting that cuts to U.S. and European aid are “no problem.” In the process, according to Southeast Asia specialist Carl Thayer, the prime minister put “all his eggs in the China basket,” abandoning any attempt to balance the influence of global players like Japan, Australia, the United States, and the European Union.

Worse, Hun Sen has sold swathes of state-owned land to Chinese companies, while taking on huge loans from a country known for brutally cashing in its debts for strategic gain. It’s a policy that worked out very badly for countries that bought in to China’s Belt and Road Initiative such as Sri Lanka, which was recently forced to cede a Chinese-funded port to Beijing’s control after falling behind on loan repayments, and Tajikistan, whose debt-to-GDP ratio soared from 33 percent to 57 percent in the past three years, with almost four-fifths of this money owed to China. In countries throughout Africa, China’s monopoly on development fosters financial dependence on Beijing. In April, International Monetary Fund head Christine Lagarde explicitly warned against the debt risks for countries involved in the Belt and Road Initiative.

But while China won’t press its debtors for democracy, the loans come with their own strings attached. A pressing risk is Finlandization, the term used by Robert Kaplan, author of Asia’s Cauldron: The South China Sea and the End of a Stable Pacific, to describe the partial loss of sovereignty that defined Finland when it was democratic and capitalist but its foreign policy was decided by the Soviet Union.

“The danger in Southeast Asia and the South China Sea region is that a number of countries will be Finlandized by China: stay independent with their own economies, but their foreign policy will be so influenced in a subtle way by Beijing that they will not wholly be independent in terms of function,” he said.

This is certainly the case for Cambodia, which has become a dependable mouthpiece for China in the Association of Southeast Asian Nations, especially when it comes to vetoing criticism of Beijing’s conduct in the South China Sea. As Mu Sochua, a former CNRP politician-turned-activist who left the country for her own safety in 2017, put it bluntly: “If China gets the South China Sea, Hun Sen stays in power.” She also pointed to the proliferation of Chinese-owned megacasinos along Cambodia’s coast and the granting of land concessions to Chinese companies that appear to operate outside the law as trade-offs for Chinese money. “Aid money, or loan money, or friendship money comes with a heavy price,” she said.

Clearly, China can leverage Belt and Road investments most assertively in countries where its influence is unchallenged, whether by competing soft powers or by domestic opposition from less accommodating party leaders. Eurasia politics consultant Filippo Costa Buranelli points out that Central Asian states such as Kazakhstan and Kyrgyzstan avoided Tajikistan’s fate by offsetting Chinese influence against other regional players such as Russia and the EU. In Malaysia, the democratic ousting of Prime Minister Najib Razak this spring threatened Chinese infrastructure investments while potentially highlighting China’s role in an embarrassing corruption scandal.

The choice of targets in TEMP.Periscope’s Cambodia operation suggests Beijing is taking steps to mitigate these risks. The political exiles of the CNRP are low on political options, but they have one strong hand to play in challenging Hun Sen’s authoritarianism: rallying the United States and EU to impose financial sanctions on individual Cambodian tycoons and political figures who have “directly and substantially” undermined democracy. Two such bills are currently being debated in Congress in the United States, spearheaded by the efforts of Kem Monovithya.

Of the names floated for sanctions by Global Witness, all manage multimillion- or even billion-dollar investments for Chinese companies, including ones owned by the state. One, the tycoon Try Pheap, signed an agreement in April to build a Chinese-funded deep-sea port; another, Ly Yong Phat, is carving a $1.5 billion Cambodia-Chinese Friendship City out of coastal jungle in Koh Kong. At the same time, these proposed sanctions target close friends and powerful allies of Hun Sen, creating a real risk that they could indeed prove an effective weapon—and giving Beijing a good reason to track whispers in relevant government ministries, as well as the progress of those pushing the bill forward.

“Looking forward, governments around the world need to broaden their view of what international cyberthreats they face,” said Danielle Cave, a senior cyber-policy analyst at the Australian Strategic Policy Institute. “They don’t just need to worry about the hacking of their networks, critical infrastructure, and theft of their intellectual property. Increasingly, they must worry about the online manipulation of their citizens.”

With Cambodia’s widely discredited election this weekend already a foregone conclusion, China’s activities here shouldn’t be conflated with Russian-style election meddling. While it dabbles in covert influence tactics in Hong Kong and Taiwan, Beijing tends to be less worried about what voters in allied nations want. As of yet, its tactics lean more toward mitigating the power of an unruly electorate while keeping those at the top of the food chain in line.

By extending the authoritarian surveillance it applies to its own citizens and government employees to those of its economic partners, China can strengthen its bargaining position, steel its interests against disruption and disobedience, and cut out any troublesome uncertainties that come with relying on leaders like Hun Sen.

So far, Cambodia has been silent over the TEMP.Periscope hack, just as previous victims of Beijing’s more brazen espionage efforts, like the African Union, downplayed the severity of these breaches before them. As the digital silk road strand of the Belt and Road vision brings Chinese-managed connectivity and telecoms access to countries such as Myanmar, Nepal, and Kyrgyzstan, researchers warn that Beijing will soon have the tools to monitor foreign populations with the same ease that it watches its own. Until then, groups like TEMP.Periscope allow it to test the limits.



Lindsey Kennedy is a journalist and documentary filmmaker covering stories related to development, global security, and abuses of civil and human rights. She is the director of TePonui Media. Twitter: @LindsAKennedy

Nathan Paul Southern is an investigative reporter and security specialist. He covers non-traditional security threats, Chinese expansionism, organized crime, and terrorism. Twitter: @NathanPSouthern