A known Vietnamese hacker group has created malware in documents that appear related to Asean meetings and is targeting the Cambodian government, a cybersecurity firm said in a report this week.
The firm said it had detected traffic between IP addresses belonging to the government and the hackers’ server, but government officials on Friday cast doubt on the report and said they would investigate the authors’ intent.
In their report, researchers at cybersecurity firm Recorded Future’s Insikt Group said they had “discovered a new malware campaign targeting the Cambodian government.”
The report says the malware was traced to hacker group APT32, also known as OceanLotus, which Recorded Future as well as other cybersecurity organizations have designated as being Vietnam state-sponsored.
Two malware files were found, both with file names that look almost like Microsoft Word files. But they contain malicious programs that in one case opens communications to a “command and control,” or C2, server, the report says.
The researchers found traffic going to the hackers’ server. “Several IP addresses assigned to a Cambodian government organization [were found] regularly communicating with the APT32 C2 IP address,” the report says.
The report categorizes the malware as “advanced persistent threats” — meaning they remain on the infected computers to pass on information over a long period of time.
Ben Read, senior manager of analysis at cybersecurity firm FireEye’s Mandiant Threat Intelligence, said the malware seen to be targeting the Cambodian government was a “basic backdoor.”
“It would allow the attacker to profile a system it was on, download additional payloads and exfiltrate data. The type of information depends on the computer it is running on,” Read said.
The attack was consistent with what researchers had seen from APT32, he added.
“We believe that this backdoor is unique to APT32, a cyber espionage group acting in support of the Vietnamese Government,” he said. “APT32 consistently targets Southeast Asian governments, for information that will give it an edge in diplomatic and strategic decision-making.”
At the time, the Vietnamese government denied that it was sponsoring the group.
“This accusation is unfounded,” Ngo Toan Thang, deputy spokesman for the Foreign Affairs Ministry said at a press conference in Hanoi. “Vietnam strictly prohibits cyberattacks targeting organizations and individuals in any form.”
Chea Pov, director of the Interior Ministry’s cybercrimes department, said he had seen the Insikt Group report but did not consider it a formal one as it was written in English, and it might be written only to attract interest.
“Sometimes, they just write and post on their page to get attention,” Pov said.
He added that he doubted the Cambodian government could be hacked because it had yet to set up a central data server and was still preparing its “e-government” digitization plan.
“Our government does not have a data center yet. How could it be hacked? What would they be hacking?” Pov asked.
He said his department would be looking into the report and its authors.
“We have seen it and we are studying and investigating whether it is true information or fake,” he said. “We are studying and investigating what intention they have.”
The ministry’s spokesperson, Khieu Sopheak, said he was not aware of the report, but noted that every country needed to be vigilant against cyberattacks.
Koy Kuong, spokesperson for the Foreign Affairs Ministry, and Vietnamese ambassador Vu Quang Minh did not answer questions. Recorded Future also has not responded to questions.
Previous cyberattacks on Cambodia found by researchers include the breach of several government and other entities around the 2018 elections, as well as the possible targeting of a freelance journalist covering the country’s politics.
Cybersecurity researchers FireEye said in July 2018 that the National Election Commission; ministries of interior, foreign affairs and finance; the Senate; an opposition lawmaker; civil society representatives; diplomats; and media organizations were compromised in attacks similar to those previously used by Chinese hackers.
Cambodian government servers also appeared to be compromised in 2017, according to Palo Alto Networks.
Updated at 9 a.m. with comment from FireEye.