Threat Research

Chinese APT Targeting Cambodian Government

Securonix

Unit 42 identifies malicious Chinese APT infrastructure masquerading as cloud backup services targeting Cambodian government entities, with long-running activity tied to geopolitical aims. The operation uses a multi-domain, multi-IP C2 setup, a Cowrie honeypot, and timed activity patterns to evade defenders.
#ChineseAPT #CambodianGovernment #CowrieHoneypot #CloudBackupMasquerade

Keypoints

  • Unit 42 links Chinese APT activity to Cambodian government targets across multiple sectors, suggesting a long-term espionage campaign.
  • At least 24 Cambodian government organizations communicated with the malicious infrastructure during Sept–Oct 2023.
  • The threat actors’ C2 infrastructure is hosted on six IP addresses and under several domain names, associated with a malicious SSL certificate.
  • The infrastructure reportedly runs a Cowrie honeypot on port 2222 and uses IP filtering to block certain defenders and researchers.
  • The actor’s activity shows a pattern of life around local Cambodian business hours, then shifts to align with China’s Golden Week, indicating possible Chinese-based operation timing.
  • Protective guidance includes NGFW with ML and cloud-delivered security, security automation (Cortex XSOAR/XSIAM), and Prisma Cloud container security with WildFire.

MITRE Techniques

  • [T1583] Acquire Infrastructure – The threat actor uses target-facing IP addresses as C2 infrastructure and deploys six domains to support operations. “Most recently, this certificate was used by servers on six target-facing IP addresses.”
  • [T1036] Masquerading – Infrastructure masquerades as cloud backup services to appear legitimate to victims and investigators. “masquerading as cloud backup services.”
  • [T1041] Exfiltration Over C2 Channel – The operation implies data exfiltration from victim networks over C2 infrastructure. “data exfiltration from the victim network.”
  • [T1071.001] Web Protocols – C2 communications occur over common web ports (80, 443, 4433) and associated domains, indicating use of web protocols for C2. “Target Port: 80, 443, 4433” (multi-domain C2 activity).

Indicators of Compromise

  • [Domains] – Target domains associated with the C2 infrastructure – api.infinitycloud.info, connect.infinitycloud.info, ns.infinitycloud.info, and other related domains
  • [Infrastructure IP Addresses] – Used for C2 infrastructure – 165.232.186.197, 167.71.226.171, 104.248.153.204
  • [SSL Certificate SHA-1 Fingerprint] – Unique fingerprint used by the infrastructure – B8CFF709950CFA86665363D9553532DB9922265C

Read more: https://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint