A hacker collective with suspected ties to Chinese intelligence has engaged in “consistent and long-term targeting” of officials from the Cambodia National Rescue Party, an internal investigation by Facebook found.
A report on the investigation was posted to Facebook’s internal social network on April 1, according to disclosures made to the Securities and Exchange Commission and provided to the U.S. Congress in redacted form by Facebook whistleblower Frances Haugen’s legal counsel. The redacted versions received by Congress were reviewed by a consortium of news organizations, including RFA.
Dubbed “Speeding Wall” and seemingly of Chinese origin, the hacker group is alleged in the report to have launched cyberattacks from Cambodian government servers against the CNRP. The party was the country’s main opposition bloc prior to its dissolution by the Cambodian Supreme Court in 2017.
“Leaders and followers of the CNRP have been targets of Speeding Wall through Facebook’s apps and services (notably, Messenger, Pages, and through comments and posts),” writes the report’s author, whose name is redacted.
A spokesperson for Facebook refused to speak about the report, citing a company policy of not commenting on specific incidents.
According to the report, Facebook’s investigator tracked four individuals they assessed with a high degree of confidence to be members of Speeding Wall logging on to Facebook from IP addresses belonging to Cambodia’s Ministry of Posts and Telecommunications.
“It’s probable these servers may have been compromised by these threat actors,” the report’s author wrote, noting that in 2017 hackers targeting Cambodian opposition and civil society groups hosted malicious files on government servers.
A 2018 investigation by US cybersecurity firm FireEye described the 2017 hack as an “example of aggressive nation-state intelligence collection” and concluded that it would likely “provide the Chinese government with widespread visibility into Cambodian elections and government operations.”
Threat to sovereignty
Among those targeted in 2017 was Kem Monovithya, CNRP deputy director-general of public affairs. She told RFA that Facebook has not contacted the CNRP about Speeding Wall’s alleged targeting of the party.
However, on Oct. 12 last year she received a pop-up alert on Facebook that her account had been the target of an attempted hack, she said. It is unclear whether the hack she was alerted to was linked to Speeding Wall.
Regardless, she said, the notion that hackers linked to the Chinese state might be targeting her and her colleagues no longer shocked her.
“This time it doesn’t surprise me at all. My concern now is beyond their espionage on our communication, but the exploitation of Cambodia’s sea and soil at large,” Monoivthya said. “Cambodia lost democracy and also is on the brink of losing our sovereignty.”
Cambodia has become a focal point of Beijing’s Belt and Road Initiative in recent years, with China becoming the Kingdom’s largest source of foreign investment in 2019. With that increased investment has come what many observers view as an outsized role in Cambodia’s economy and politics.
Ministry of Posts and Telecommunications spokesman Meas Po told RFA that he was unaware of any activity by Chinese hackers.
“I don’t have any information about this, but if you do please share it,” Po said, adding that he was traveling and unaware of any issues at the ministry.
The author of the Facebook report also suggested that Speeding Wall’s activities might be the product of a collaboration between Prime Minister Hun Sen’s Cambodian People’s Party and the Chinese government, “working together … to counter the Cambodian opposition party.”
“This theory offers an explanation why we’re seeing Speeding Wall actors using Cambodian Government infrastructure to target the CPP’s opposition party,” the report’s author wrote.
Support for this theory was discovered by the investigator through Centra, a controversial tool reportedly used by Facebook to track users across the internet, whether they are logged in to their account or not.
Accessing the profile of one of the suspected Speeding Wall hackers, the author noted that the hacker had imported contact information for individuals with the Chinese-language titles Chief, Section Chief, Team lead, Military, Military Chief Staff Officer, and teacher.
“These titles typically indicate an intelligence organization’s structure,” the author wrote.
Another suspected Speeding Wall member had multiple contacts linked to the China-ASEAN Technology Transfer Center, the author noted. The CATTC is part of a Chinese government program to promote research and technology exchanges between China and the Association of Southeast Asian Nations. It established a presence in Cambodia in 2014.
The presence of CATTC employees in a Speeding Wall hacker’s contact list could be an indication of collaboration between the CPP and China, the report’s author wrote.
Alternatively, the author countered, the Speeding Wall hackers could be using employment with the CATTC as a cover to “target Cambodia writ large.”
“While there’s no evidence to prove this assumption, their targeting of Cambodian government servers and long-term targeting of Cambodia may be some indication,” the author wrote.
The CATTC and the Chinese embassy in Washington did not respond to emailed requests for comment on the allegations in the report.
CPP spokesperson Sok Ey San rejected any suggestion the hackers were in cahoots with Cambodia’s ruling party. He said that the government had no cause to spy on the CNRP.
“We have nothing to do with it. Don’t be suspicious of us. They just want to put the blame on us,” he told RFA. “The winning CPP has been busy rebuilding the country and maintaining peace. We don’t have time to investigate those rebels.”
Cambodian authorities have arrested and imprisoned dozens of CNRP activists since the party was outlawed in 2017 – a move that effectively criminalized the main political opposition to longtime ruler Hun Sen.
Copyright © 1998-2016, RFA. Used with the permission of Radio Free Asia, 2025 M St. NW, Suite 300, Washington DC 20036Radio Free Europe–Copyright (c) 2015. RFE/RL, Inc. Reprinted with the permission of Radio Free Europe/Radio Liberty, 1201 Connecticut Ave NW, Ste 400, Washington DC 20036.