Facebook internal documents reveal Chinese hackers attacking Cambodian opposition party

10 June, 2022

“A set of … actors logged onto several Cambodian government IP addresses … which lends a possible hypothesis that they may have compromised the Cambodian Ministry of Posts and Telecommunications.” These sentences form part of an internal investigation by a Facebook employee into a hacking attack against the Cambodian government—the document states that the hacks were likely by Chinese hackers, using Facebook’s Messenger and Pages as a platform. The researcher found that the hackers used several “unique titles such as chief, section chief, military, military chief staff officer,” which indicates an intelligence organisation’s structure, likely of Chinese origin. The researcher also concluded that the Chinese hackers were likely working in partnership with the Chinese Ministry of Public Security and the China-ASEAN Technology Transfer Centre—part of a Chinese government programme to share technology with South East Asian nations.

The investigation is part of a large tranche of documents, among the disclosures made to the United States Securities and Exchange Commission, and were provided to Congress in redacted form by the legal counsel of Frances Haugen—a former product manager with Facebook’s civic integrity team, who became a whistle-blower. The investigation links the hacks to a Chinese group called Speeding Wall, about whom not much else is known. Speeding Wall likely targeted Cambodia once previously, in 2017.

The investigation clearly states two possible conclusions. Firstly, the Cambodian government could have used the hacks alongside Chinese help to target the Cambodia National Rescue Party—the primary opposition party in the country—as well as dissenting citizens. Since coming to power in 1979, Cambodia’s ruling Cambodian People’s Party, or CPP, pursued a brutal crackdown on the opposition, particularly using social media. The second possibility, the researcher argues is that the hackers, working at at least some level of coordination with the Chinese government, hacked the Cambodian government in relation to China’s expanding Belt and Road Initiative. The BRI is the Chinese president Xi Jinping’s ambitious geopolitical project, which aims to construct trade routes between China and over seventy countries. The researcher however cautions that the second possibility is less likely. It is currently unclear what action Facebook took against the hackers or if such vulnerabilities on its platform, that allow for international espionage, have been fixed.

The investigation reveals that the hackers used KHRAT, a remote-access Trojan horse that allows hackers to gain access to the victim’s system and access screenshot capabilities, passwords, and the storage of the victim’s device. The document is dated April 1, though it is unclear which year it was made in. The Facebook researcher notes that they found more than a dozen Speeding Wall actors that had been logged onto the Cambodian ministry of posts and telecommunications.