Last month, the daughter of a jailed Cambodian opposition party leader received an email from a well-seeming activist at a reputed Cambodian non-profit. For weeks, the sender nudged Monovithya Kem to open an attachment described as containing interview questions.
Kem suspected a trap set by Cambodian hackers seeking access to her computer. But a monthslong investigation by California security-research firm FireEye revealed that Kem was among several Cambodians likely targeted by a far more formidable actor: China.
FireEye said Wednesday it found evidence that a Chinese hacking team it believes is linked to Beijing has penetrated computer systems belonging to Cambodia's election commission, opposition leaders and media in the months leading up to Cambodia's July 29 election. Investigators could not immediately tell what, if any, data had been stolen or altered.
The Foreign Ministry in China has rejected these allegations.
Although FireEye did not find evidence that the Chinese hackers are working to sway the Cambodian elections in the ruling party's favor, the revelations may cast a murky geopolitical shadow over the elections critics already say will be neither free nor fair.
Prime Minister Hun Sen, one of the world's longest-serving rulers and a staunch ally of Beijing, faced what analysts predicted would have been a tight race before he jailed opposition leader Kem Sokha last year, accusing him of treason.
After the European Union and the United States withdrew their support for the election, China stepped in to donate $20 million to Cambodia's National Election Committee, said Hang Puthea, a spokesman for the body. China also last year pledged $100 million in military aid.
Monovithya Kem, the daughter of Kem Sokha and an official in his now-disbanded Cambodia National Rescue Party, said she has frequently been targeted by Cambodian hackers in the past, but the revelation of potential Chinese involvement shocked her.
“To know that a foreign group is specifically trying to get information from me - now that's scary,” Kem said by phone from Washington, where she is based. “What you're dealing with is suddenly bigger.”
FireEye's head of cyberspying analysis Benjamin Read said malware-ridden files sent to Cambodian targets were traced by his team to an unsecured server operated by the Chinese hacking group TEMP.Periscope.
On the hackers' server, FireEye researchers found records showing that the group had compromised Cambodia's election commission and several Cambodian ministries. The servers' access logs in one instance traced to an IP address in China's southern Hainan island, said Read, who described TEMP.Periscope as the second most active Chinese hacking group FireEye has traced.
FireEye says the group appears state-linked because it seems to be seeking information that would benefit the Chinese government.
“They don't go for credit card numbers of bank account numbers, they go for information that's of use to a government,” Read said. “We saw them use the same infrastructure to target the Cambodia government and private companies. It suggests the Chinese government doesn't draw a line between political espionage versus commercial espionage.”
FireEye has previously found that TEMP.Periscope sought maritime technology from U.S. and European defense firms and other institutions with projects in the contested South China Sea.
China's Foreign Ministry said in a statement that it is not aware of TEMP.Periscope and resolutely opposes cyberattacks as a general principle. “China calls on the international community to combat cybersecurity threats on a respectful, equal and mutually beneficial basis,” it said.
The Cambodian election commission was aware of Wednesday's reports about the hacking, Hang, the commission's spokesman said, and has filed a legal complaint to the Cambodian government.
Government spokesman Phay Sophana said he was not aware of any specific cases of hacking attacks on state agencies. Cambodia would protect its online data, especially relating to national security, the election and financial matters, he added.
The scope of FireEye's findings on Wednesday did not include Taiwan. But Danielle Cave, a cyber policy analyst at the Australian Strategic Policy Institute who is not affiliated to FireEye, said China appears to be testing its cyber and covert influence capabilities on the self-ruled island Beijing claims as its territory.
Cave said Taiwan has long been a target of campaigns by China that combine spreading propaganda favoring China with outright hacking to deface websites or pilfer data.
In January, Taiwan prosecutors said they found evidence that China's Taiwan Affairs Office promised to pay a Taiwanese politician $500,000 to run a website publishing articles promoting unification. China dismissed the allegations as “pure nonsense.”
The website of Taiwanese President Tsai Ing-wen's independence-leaning Democratic Progressive Party was defaced by hackers believed to be from China earlier this month. Kolas Yokata, a DPP legislator, told The Associated Press the party was investing in cybersecurity upgrades ahead of November, when Taiwan is expected to hold local elections that will serve as a referendum on the party's grip on power.
“We especially cannot accept that our elections could be manipulated,” Yokata said.