Self Assessment

THE CHANGING CYBER THREAT LANDSCAPE SOUTHEAST ASIA

Published On : 2024-11-29
Share :
THE CHANGING CYBER THREAT LANDSCAPE SOUTHEAST ASIA

EXECUTIVE SUMMARY

The Southeast Asia Cyber Threat Landscape Report provides a comprehensive overview of the evolving cybersecurity landscape in the region. In recent years, Southeast Asia has witnessed a significant increase in cyber threats, driven by factors such as rapid digitalization, increased internet penetration, and geopolitical tensions. This report aims to provide key insights into the current state of cyber threats, and emerging trends.

THE GEOGRAPHICAL SCOPE OF THIS REPORT
Vietnam, Cambodia

SEA Volume – 1
Indonesia, Philippines, Malaysia, Thailand

SEA Volume – 2
Vietnam, Cambodia, Singapore

Yet to be updated: Singapore

Updated Methodology:
This is a running report. Our research team will update this report on an ongoing basis to keep the reader updated on the region’s evolving cyber threat landscape.

THREAT LANDSCAPE TODAY

01 MOVEMENT FROM DIGITAL TO KINETIC TARGETS
Trend: Ransomware attacks on critical infrastructure
Motives: Disruption/Geopolitical/Extortion

02 DATA EXFILTRATION FROM IOT DEVICES
Trend: Spyware, malware and plug-ins to collect data
Motive: Reputation impact, disruption, extortion

03 EXPLOITATION OF LEGACY SYSTEM
Trend: Brute force attacks, credential reuse and data exfiltration via malware
Motive: Operational disruption, espionage, IP exfiltration

04 CROSS-ENVIRONMENT ATTACK
Trend: social engineering/phishing. jump server
Exploits, remote access tool compromise
Motive: Operational disruption, espionage, IP exfiltration

05 USE OF BOTNETS, AI, DEEPFAKE
Trend: Device scanning, firmware, phishing/malware download
Motives: Disruption, data harvesting, remote attacks (DDOS)

06 SUPPLY CHAIN OF INFRASTRUCTURE, UTILITY COMPANIES REMAIN AT RISK
Trend: Multi-behavioral malware (IT/OT, different operating system
Target: CII trade secrets documents containing proprietary processes

SOUTHEAST ASIA – KEY FINDINGS

RANSOMWARE SURGE
Ransomware attacks have surged across Southeast Asia, targeting both businesses and individuals. Criminal organizations have refined their tactics, often demanding hefty ransoms, posing a significant financial and operational risk.

STATE-SPONSORED THREATS
State-sponsored cyber-espionage and cyber-attacks continue to be a major concern. Regional tensions have escalated the risk of cyber-attacks with political and economic motives.

SUPPLY CHAIN VULNERABILITIES
The supply chain has become a prominent attack vector, with adversaries exploiting vulnerabilities in third-party suppliers to compromise larger organizations. This underlines the importance of robust supply chain security measures.

IOT AND CRITICAL INFRASTRUCTURE RISKS
Internet of Things (IoT) devices and critical infrastructure are increasingly targeted, raising concerns about potential disruptions to essential services and infrastructure.

PHISHING AND SOCIAL ENGINEERING
Phishing attacks remain prevalent, often facilitated through social engineering techniques. Education and awareness campaigns are vital in mitigating these threats.

SEA – CYBERCRIME

GROWING LOCAL CYBERCRIME
We observe a similar pattern that previously propelled Eastern Europe (and Russia in particular) to become a cybercriminal superpower.

Economic circumstances and limited opportunities together with low wages for high-skilled roles meant that after the collapse of the Soviet Union, many skilled individuals were unable to find work and turned to cybercrime, from ZeuS banking Trojans to ransomware, to eventually create the largest cybercrime syndicates in the world.

While the situation in Southeast Asia is nothing like the crisis after the collapse of the Soviet Union, there are remote regions, where many young people discover they have computer science talent.

Realizing there are opportunities to make a quick profit with simple hacking skills. Due to the international nature of cybercrime, they can achieve a profit in the price range of more economically-developed nations.

Furthermore, the anonymous nature of cybercrime, coupled with law enforcement focus on physical crime allow cybercrime to keep growing.

Lastly, the SEA region is home to some sophisticated high-skill groups, but similar to Russian cybercrime, they focus on foreign rather than domestic targets.

VIETNAM

OVERVIEW

Vietnam is currently experiencing escalating cyber threats amidst its economic and technological advancements, therefore making it more vulnerable to cyber attacks, including data breaches, state-sponsored espionage, and widespread malware distribution. The nation’s geopolitical tensions, particularly regarding the South China Sea disputes with China, compound these cyber risks, as both countries possess significant cyber capabilities that could target critical infrastructure and sensitive government data.

The expansion of internet access across Vietnam, coupled with low cybersecurity awareness in less urban areas, exacerbates the nation’s cyber vulnerabilities. Additionally, Vietnam’s burgeoning Small and Medium Enterprises (SME) sector, crucial to its economic framework yet often under-resourced in cybersecurity, faces increased risks from sophisticated cyber threats. Recent incidents have shown a rise in advanced persistent threats (APTs) and phishing attacks, often attributed to both regional and international cybercriminals. Activities in the cyber underground, such as the trafficking of illegally obtained Vietnamese data, highlight the pressing need for comprehensive cybersecurity strategies.

To navigate these evolving challenges, Vietnam must enhance its cybersecurity defenses. This includes the development of comprehensive policies, strengthening threat intelligence capabilities, and fostering international collaboration. Such measures are essential to safeguard Vietnam’s expansive digital landscape against the increasingly sophisticated global cyber threat environment.

TRENDS IN THE VIETNAM THREAT LANDSCAPE

  • The cybersecurity landscape in Vietnam is shaped by its complex geopolitical relations, notably with China and the U.S., and its strategic role within ASEAN. Vietnam faces heightened cyber threats including state-sponsored attacks, particularly in light of territorial disputes in the South China Sea, which spur espionage aimed at military and governmental secrets.
  • CYFIRMA observed a significant increase in campaigns (12) targeting various industries in Vietnam during 2024 compared to previous years. Chinese, Russian, and North Korean state-sponsored threat actors are behind most of these campaigns.
  • Organizations in Information Technology, Manufacturing, Tourism, Logistics, and Construction Industries are actively exploited by state-sponsored and financially motivated threat actors.
  • There is increased demand for Vietnamese organizations’ databases in underground forums especially associated with critical infrastructure highlights cybercriminals’ interest in Vietnam.

WHAT ATTRACTS CYBER THREAT ACTORS TO VIETNAM?

  • Economic Growth and Digital Transformation: As Vietnam has experienced rapid economic growth and extensive digital transformation, its expanding digital infrastructure presents more targets for cybercriminals. This includes growing internet users, digital services, and an increasingly complex IT environment in both the public and private sectors.
  • Valuable Intellectual Property: Vietnam’s growing tech industry and manufacturing sector make it a rich target for cyber espionage aimed at stealing trade secrets and intellectual property. This is particularly relevant given Vietnam’s role in the global supply chain for various high-tech and consumer products.
  • Geopolitical Tensions: Vietnam’s strategic location and its involvement in contentious regional issues, especially in the South China Sea, make it a target for state-sponsored cyber operations. These operations are often aimed at espionage, disruption, or influencing political and military decisions.
  • Weak Cybersecurity Measures: Despite improvements, Vietnam’s cybersecurity defenses have been relatively weak, making governmental and corporate networks susceptible to attacks. This includes inadequate cybersecurity policies, a lack of skilled cybersecurity professionals, and slow adoption of modern security technologies.
  • Use as a Cyber Operations Launchpad: Vietnam has also been used as a staging ground for cyber attacks. This is due in part to its relatively permissive digital environment, which can be exploited by both domestic and foreign cyber threat actors to launch attacks while avoiding detection and attribution.
  • Increasing Internet Penetration: With more citizens coming online, cybercriminals see a ripe landscape for schemes like fraud, ransomware, and phishing, targeting less cyber-aware populations.

INDUSTRIAL SECTOR IN FOCUS

INFORMATION TECHNOLOGY
With a strategic emphasis on Information and Communication Technology (ICT), the Vietnamese government has undertaken initiatives to propel its development, recognizing its significance as a priority industry. The ambitious goal is to elevate Vietnam’s digital economy to an impressive US$50 billion by 2025, offering substantial growth prospects for the ICT market. This trajectory is underscored by World Bank data, indicating an annual growth rate of 10% in Vietnam’s digital economy, with the potential to exceed a formidable US$200 billion by 2045. Within this burgeoning digital landscape, the Vietnam Information Technology (IT) industry has become a focal point of interest for threat actors. The convergence of economic ambitions and technological advancements renders the IT sector susceptible to cyber threats, with threat actors aiming to exploit vulnerabilities for economic gains, intellectual property theft, or to gain a competitive advantage.

MANUFACTURING INDUSTRY
The manufacturing sector stands as a pivotal force in Vietnam’s economic landscape, constituting a substantial 23.88% of the country’s GDP in 2023. Notably, this industry’s prowess extends beyond traditional production, with recent years witnessing an uptick in the manufacturing of sophisticated products like automotive parts, consumer electronics, and telecom equipment, showcasing Vietnam’s commitment to technological advancement. Leveraging advanced technologies, the Vietnamese manufacturing industry has earned a competitive edge, producing high-quality goods at a cost-effective scale. In the context of the threat landscape, the strategic importance and economic impact of Vietnam’s manufacturing industry make it an attractive target for threat actors. Cyber adversaries may seek to exploit vulnerabilities in the industry’s digital infrastructure for various motives, including economic espionage, intellectual property theft, or disrupting supply chains. Recognizing the nexus between technological innovation and economic growth, safeguarding the manufacturing sector becomes imperative, necessitating robust cybersecurity measures to protect against evolving threats and preserve Vietnam’s economic resilience.

TOURISM
During the first half of 2024, Vietnam’s tourism sector showcased notable growth, welcoming nearly 8.8 million international visitors, achieving almost half the year’s target. A long-term revenue forecast envisioning an impressive US$135 billion by 2033. Within this thriving landscape, the Vietnam tourism industry becomes an intriguing target for threat actors. The sector’s economic significance, driven by increasing international footfall and substantial revenue projections, makes it an attractive focal point for cyber adversaries. Threat actors may aim to exploit vulnerabilities in the industry’s digital infrastructure for diverse reasons, such as financial fraud, data theft, or disrupting the country’s image as a tourist destination. Recognizing the symbiotic relationship between a secure digital landscape and the sustained growth of Vietnam’s tourism sector, it becomes imperative to fortify cybersecurity measures to safeguard against potential threats and preserve the industry’s positive trajectory.

LOGISTICS
The logistics sector in Vietnam stands out as a rapidly expanding industry, constituting approximately 4.5% of the country’s GDP. Positioned as the 10th among emerging logistics markets globally, Vietnam’s logistics market size is estimated at USD 48.38 billion in 2024 and is expected to reach USD 65.34 billion by 2029. Notably, over 30 companies, including industry giants like DHL, FedEx, and Maersk, contribute to the provision of international logistics services in Vietnam. Within this dynamic context, the Vietnam logistics industry emerges as a focal point for threat actors. The sector’s substantial economic contribution and strategic position in global logistics networks make it an appealing target for cyber adversaries. Threat actors may seek to exploit digital vulnerabilities in the logistics infrastructure for motives such as supply chain disruption, data theft, or financial fraud. Recognizing the critical role of secure logistics in supporting economic activities, fortifying cybersecurity measures becomes imperative to mitigate risks and ensure the resilience of Vietnam’s logistics industry against evolving cyber threats.

CONSTRUCTION INDUSTRY
With a current valuation of USD 23.1 billion, the Vietnam construction market is poised for substantial growth, projected to register a robust CAGR of over 8.5% in the forecast period. Emerging as the latest East Asian growth engine, Vietnam has captivated the interest of international investors, underscoring its strategic importance in the global construction landscape. However, this burgeoning sector also attracts the attention of threat actors in the Vietnam threat landscape. The construction industry’s pivotal role in the country’s economic development, coupled with its increasing international prominence, makes it an attractive target for cyber adversaries. Threat actors may aim to exploit digital vulnerabilities within the construction infrastructure for motives such as intellectual property theft, economic espionage, or disrupting critical projects. Recognizing the interconnectedness of digital infrastructure and the construction industry’s growth, bolstering cybersecurity measures becomes imperative to safeguard against potential threats and ensure the sustained development of Vietnam’s construction sector.

GEOPOLITICAL DYNAMICS AND CYBER THREATS IN VIETNAM

Vietnam’s geopolitical stance and its relationships with global powers profoundly influence its cybersecurity strategies.

South China Sea Disputes: Vietnam’s ongoing territorial disputes with China over the South China Sea not only heighten regional security tensions but also escalate the risk of cyber espionage and attacks aimed at disrupting critical infrastructures. In response, Vietnam has been compelled to bolster its cyber defenses to protect sensitive government and military data, reflecting the direct impact of geopolitical strife on national cybersecurity needs.

Enhanced Ties with the U.S.: The strategic deepening of relations between Vietnam and the United States, aimed at counterbalancing Chinese influence, extends into the cyber realm. This partnership facilitates technology transfer, intelligence sharing, and enhancements in Vietnam’s cyber defense capabilities. Such cooperation is critical for Vietnam to defend against sophisticated cyber threats and ensure the security of its digital infrastructure.

ASEAN Collaboration: As an active participant in ASEAN, Vietnam leverages regional collaboration to address security challenges that span national borders, including cyber threats. Through ASEAN, Vietnam engages in cooperative efforts to combat cybercrime and strengthen regional cyber resilience. This includes adopting shared cybersecurity frameworks and conducting joint exercises, crucial for protecting economic activities and communication networks across Southeast Asia.

Domestic Cyber Controls: Domestically, Vietnam employs stringent internet content controls and surveillance measures to maintain governmental stability and manage public narratives on sensitive issues. These internal cybersecurity measures not only help in monitoring and mitigating domestic cyber threats but also affect Vietnam’s international image concerning human rights and digital freedom.

This integrated approach highlights how Vietnam’s geopolitical maneuvers and concerns are intricately linked to its cybersecurity strategies, emphasizing the critical role of robust cyber defenses in safeguarding national interests and shaping its international engagements.

STRATEGIC REASONS TO TARGET VIETNAM

  • FINANCIAL GAINS
  • GEOPOLITICAL LEVERAGE
    • Regional Influence
    • Coercion and Pressure
  • INTELLIGENCE AND ESPIONAGE
    • Surveillance and Data Collection
    • Monitoring Strategic Assets
  • ECONOMIC AND INDUSTRIAL IMPACT
    • Economic Destabilization
    • Resource Manipulation
    • Hindering Foreign Investment
  • MILITARY AND STRATEGIC PREPARATION
    • Creating Backdoors
    • Infrastructure Mapping

TRENDS FROM THE DARK WEB – VIETNAM

  • CYFIRMA Dark Web telemetry and Early Warning system detected 29 campaigns with victims in Vietnam since the start of 2021.
  • After a relative calm in 2022, the following years recorded the highest number.
  • 2024 has already surpassed previous years.

In 2023 and 2024, there is a substantial rise in the number of observed campaigns, a marked increase compared to the preceding two years. This uptick highlights the heightened interest of threat actors in the economic and geopolitical dynamics of Vietnam.

  • The most attacked industries in Vietnam are Financial Services, Government, Industrial Conglomerates, and IT Services.
Top Industries observed in the APT Campaign

The most active suspected threat actors in campaigns with recorded victims in Vietnam are FIN11, TA505, Lazarus group (DPKR), MISSION2025 (APT41 nexus of activity), combined Chinese Threat actors (Pandas) as well as combined Russian cybercriminal syndicates.

The top observed malware highly correlates with the suspected actors: Tofsee with AppleJeus for Lazarus Group, Winnti & PlugX for MISSION2025, and Emotet with various ransomware by Russian cybercrime syndicates. Cobalt Strike is used by everyone as it is highly effective and offers plausible deniability.

15 out of a total of 50 (30%) observed malware used were unknown custom tools. This is where Threat Intelligence needs to go beyond just providing IOC feeds.

TOP SUSPECTED THREAT ACTORS

TOP OBSERVED MALWARE

The top attacked technology are by large margin Web Applications, simply due to the fact they are internet facing.

Second place are operating systems followed by Application Infrastructures and combined Remote Access tools.

TOP ATTACKED TECHNOLOGY

CAMPAIGNS TO DEFEND AGAINST

Here are some details about observed sample campaigns.

Malware Name Targeted Services/ vulnerabilities Campaign Name Suspected Threat Actor Target Industries Target Geographies
Winnti, Commodity Malware Web Application Camaro Delta Mustang Panda, MISSION2025 Aerospace & Defense, Multiline Retail, Marine, Government, Industrial Conglomerates, Internet & Direct Marketing Retail, Wireless Telecommunication Services, IT Services, Transportation Infrastructure, Communications Equipment, Diversified Financial Services Vietnam, South Korea, Singapore, United States, Philippines, Japan, Taiwan, Australia, Thailand, India, Indonesia
Pubload, PlugX Web Application, Operating System, Infrastructure-as-a-service Solutions 2tomas shoal Mustang Panda Government, Internet & Direct Marketing Retail, Wireless Telecommunication Services, Media, IT Services, Transportation Infrastructure, Communications Equipment, Hotels, Restaurants & Leisure, Airlines, Air Freight & Logistics, Industrial Conglomerates, Energy Equipment & Services, Insurance, Software, Diversified Financial Services Brunei, Vietnam, Philippines, Japan, Taiwan, Malaysia, Thailand, India
MiniDuke, Winnti Web Application All Wealth Cozy Bear,MISSION2025 Aerospace & Defense, Diversified Telecommunication Services, Industrial Conglomerates, Energy Equipment & Services, Metals & Mining, Wireless Telecommunication Services, Banks, IT Services, Transportation Infrastructure, Diversified Financial Services South Korea, Vietnam, United States, Japan, Philippines, Taiwan, United Kingdom, Australia, Thailand, India

THREAT ACTORS TO WATCH

MISSION2025, Stone Panda, Mustang Panda, Gothic Panda, TICK

FIN11, TA505, Cozy Bear, Fancy Bear, Gamaredon, FIN7

LAZARUS GROUP

DATA LEAKS

Data leaks play a crucial role in the landscape of cyber threats, acting as a significant vulnerability that can lead to a wide range of security issues and potential damages. When sensitive or confidential information is accidentally exposed or intentionally stolen and released, it can lead to identity theft, financial fraud, and a severe loss of trust and reputation for the affected organization. Such leaks often provide cybercriminals with the necessary data to conduct more targeted and effective attacks, such as phishing schemes, ransomware attacks, or further unauthorized access into secure systems. Additionally, data leaks can result in hefty regulatory fines and legal challenges, especially if the leaked information includes personally identifiable information (PII) protected under data privacy laws.

A user on an Underground Forum is selling Vietnam-based admin access to .edu domains. Soldier has a good reputation on the forum and also shares breaches from various countries like Italy, UK, Poland, Peru, Brazil, India, Japan, and Russia on their Telegram channel.

A threat actor uses the Telegram channel to sell the database of organizations belonging to Vietnam.

A user on the BreachForum is looking for a database related to Vietnam, indicating the user might be planning to use it for scamming or other social engineering attacks. This highlights the demand for Vietnam databases which motivates cybercriminals to target Vietnamese organizations.

Another user is interested in purchasing data related to the Vietnam government, particularly focusing on information related to electricity or the Ministry of Finance. He has shared his Telegram contact information for potential sellers. This highlights the potential cyber threats to Vietnamese critical infrastructure.

CYFIRMA observed a data leak related to a Vietnamese government-owned postal service. This data breach exposed their internal SRCs for their back-end infrastructure. The size of the leaked data is 2.34 GB.

CYFIRMA observed a Vietnamese database in the underground forum which includes more than 19,000 rows. Leaked data contains the date of birth, full name, place of birth, hometowns, job titles, and other details.

A user on a breach forum is selling a large dataset containing the personal information of individuals from Vietnam. This data includes names, dates of birth, telephone numbers, and email addresses.

A user shared data from a logistics company in Vietnam, which includes details such as the company name, address, contact person’s personal phone number, and email address.

HACKTIVIST

The Quantum of DDoS attacks increased globally after the start of the Russia-Ukraine war when pro-Russian and pro-Ukraine hacktivists started targeting each other with DDoS campaigns and also started targeting alliance nations to show support to their respective country.

A“4 exploitation group” a Pakistani-based hacktivist group, jointly defaced a Vietnamese organization.

The same group targeted another organization based in Vietnam and defaced various sub-groups under the targeted organization.

KyotoSH Security, a Russian-based hacktivist group, has claimed responsibility for hacking a Vietnamese government website. However, it’s possible that they obtained credentials from stealer logs or other combo lists, granting them access to the portal, and are now falsely claiming to have hacked the government portal. At CYFIRMA, we’ve observed numerous cases where threat actors purchase stealer logs as initial access, which are then used for various post-attack activities.

CYFIRMA observed numerous hacktivist collectives actively marketing and distributing unauthorized access credentials to various Vietnamese government entities via Telegram channels. Such activities significantly heighten the risk to national security by potentially facilitating unauthorized data access and systems manipulation.

Marauders hacker team is a Chinese-based hacktivist group that shared in their telegram group about selling Vietnam databases.

Another hacktivist group “We are team_r70” a Yemen-based group, defaced education institutions belonging to the Vietnam region.

RANSOMWARE

Ransomware Victims Count

Active Ransomware Groups

LockBit ransomware is the most active group in Vietnam and has primarily targeted the Manufacturing, Healthcare, Transportation & Logistics, Telecommunications, and Food & Beverages sectors, affecting the largest % of victims at 46% among all targeted organizations.

2023

2024 so far

Observing the trends in victim numbers in Vietnam from 2023 until now shows somewhat steady numbers during 2023, with a ramp-up in later months. The first three quarters of 2024 did not record many victims, most likely due to LockBit takedown.

This is in line with ransomware gangs expanding their focus from just the US and EU to the rest of the world, particularly Asia. Thanks to the affiliate Ransomware-as-a-Service programs, multi-lingual, global threat actors can deploy and execute some of the most dangerous ransomware like LockBit3.

The days of nearly exclusive Russian-speaking gangs solely targeting the US and EU are gone, and increasingly warming ties between Russia, China, and North Korea are showing in cybercrime and ransomware.

Victims per Ransomware Group

LockBit3 is the most frequent ransomware used in Vietnam due to its size and prevalence, however, 9 other gangs also recorded victims, and no single gang seems to be dominant after the disruption of LockBit in early 2024.

However up-and-coming Killsec group created by former Russian DDoS Hacktivists was the latest highly active group in the region scoring 2 victims in the last 2 months in Vietnam.

This, in summary, suggests scattered affiliates targeting Vietnam opportunistically rather than any group showing targeted interest.

  • Air Filtration and HVAC Systems
  • Automotive
  • Beverage (Beer, Alcohol)
  • Construction
  • Diversified Conglomerate
  • Education (Culinary Arts)
  • Education and Technology
  • Electricity Distribution
  • Electricity Generation and Distribution
  • Food Processing and Distribution
  • Industrial Park Development
  • Information Technology and Telecom
  • Oil and Gas Services
  • Packaging and Plastics
  • Technology and Software Development
  • Telecommunications

Looking at the industries of identifiable victims of ransomware in Vietnam, we can observe a diverse range of affected industries from education to manufacturing.

RANSOMWARE BY INDUSTRY– 2023 UNTIL NOW

Since the start of 2023, Professional & Consumer Goods & Services have been the most frequent victims of ransomware. This is due to a high number of small and medium-sized businesses, including small law or accounting firms.

RANSOMWARE BY INDUSTRY– 2023 & 2024 until now

Separating 2023 and 2024 we can see some movements. For example, the Finance industry fell from 8.5% to just a 5.0% share of all victims, and Real Estate & Construction jumped up to 8.7% from 7.0.

RANSOMWARE – 2023 until Now

All Sectors

All Sectors

PHISHING

During the last 6 months period CYFIRMA’s advanced telemetry systems observed a total of 608,999 phishing campaigns.

Data represent the ASN-based origin of the phishing emails captured.

While the US remains the largest source by far, Southeast Asian countries are steadily growing as a source of Phishing attacks.

Vietnam ranked 9th overall.

Note: The US is the most targeted country by cybercrime and as a result, it also contains the most compromised devices used in botnets as proxies to deploy malware and send phishing around the world.

Narrowing down the selection of countries to the Asia-Pacific region we can have a more detailed view of the regional threat landscape.

Hong Kong stands out largely due to the fact it is commonly used by Chinese cyber criminals as a proxy to send phishing outside China. Similarly, Singapore is known for business-friendly hosting practices which also allow for malicious hosting as proxies. Furthermore, the good international reputation of Singapore allows attackers to bypass region-based IP blocking.

Looking at observed themes originating from Vietnam, the two most prominent are Social Networking and Gaming, suggesting that local cybercrime is focused on local account takeovers. These accounts can be sold for a small price to be used for other malicious activities, such as spam or scams by more advanced threat actors.

These are generally considered low-hanging fruits using available info stealers malware sent by phishing as opposed to high-skill hacking. Especially the high focus on gaming themes implies that the main share of cybercriminals is young people with higher digital literacy looking for small extra profit or thrill, exploiting the generally lower digital literacy and cybersecurity awareness of fellow citizens.

Drilling down into what specific brands are impersonated and in turn targeted by Vietnamese-origin campaigns, we see that Facebook and Garena gaming platforms are by far the most common.

We do observe a significant amount of Generic/Spear Phishing.

Out of 1500, 370 are VN TLD. Another 83 Facebook/Meta impersonations and the rest mostly various Vietnamese domains.

We can also see a lot of foreign brands, correlating with activities of advanced threat actors aiming abroad.

ASSET EXPOSURES & VULNERABILITIES

The top 15 exposed IoT devices by vendors: Vietnam

Exposed IoT devices play a significant role in cyber attacks due to their often inadequate security features and widespread adoption across various sectors. These devices can serve as entry points or targets in larger network breaches, primarily because they frequently lack robust encryption, undergo infrequent updates, and have default or weak credentials that are easily exploited. Once compromised, IoT devices can be used to form botnets, enabling attackers to conduct DDoS (Distributed Denial of Service) attacks, data breaches, or surveillance. Their connectivity and access to larger networks also make them a valuable asset for attackers looking to move laterally within infrastructure, escalate privileges, or disrupt critical services. This vulnerability is exacerbated by the rapid expansion of IoT devices in homes, industries, and cities without corresponding advancements in their security frameworks.

Most Exploited Vulnerabilities in Vietnam – Last 3 Months
Exploited Vulnerabilities Vendor Product
CVE-2017-9841 PHPUnit PHPUnit
CVE-2023-20198 Cisco Cisco IOS XE
CVE-2021-42013 Apache Apache HTTP Server
CVE-2017-18368 Zyxel/Billion ZyXEL P660HN-T1A v1, ZyXEL P660HN-T1A v2, Billion 5200W-T
CVE-2014-8361 Realtek Realtek SDK
CVE-2021-44228 Apache Log4j
CVE-2018-10562 Dasan Dasan GPON Home Router
CVE-2024-36401 Geoserver Geoserver
CVE-2019-11510 Pulse Secure Pulse Secure VPN
CVE-2015-2051 D-Link D-Link DIR-645, DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
CVE-2016-6277 Netgear NETGEAR R/D Series Routers
CVE-2017-5638 Apache Struts
CVE-2018-7600 Drupal Drupal
CVE-2019-10758 mongo-express mongo-express
CVE-2019-11580 Atlassian Crowd/Crowd Data Center
  • All the observed exploited vulnerabilities in the above list are also part of the CISA Known Exploited Vulnerability list.
  • As per CISA, the following vulnerabilities are exploited by Ransomware Groups as well: CVE-2021-42013, CVE-2021-44228, CVE-2018-10562, CVE-2019-11510, CVE-2017-5638, CVE-2018-7600.

CAMBODIA

OVERVIEW

Cambodia, a rapidly developing Southeast Asian nation, is experiencing a significant increase in cyber threats as it embraces digital transformation. The nation’s expanding digital economy and growing reliance on online services make it increasingly vulnerable to various cyber attacks, including data breaches, ransomware, and espionage campaigns targeting critical infrastructure. As Cambodia works to modernize its financial sector, government services, and telecommunications networks, the country faces mounting risks from both regional and international threat actors.

Cambodia’s geopolitical dynamics, including its complex relationships with powerful neighboring nations like China and Vietnam, add another layer of complexity to its cybersecurity posture. These relationships have the potential to increase the risk of state-sponsored cyber espionage aimed at government institutions and key economic sectors. Additionally, Cambodia’s relatively low cybersecurity maturity, particularly in its SME sector and rural regions, exacerbates these vulnerabilities, leaving critical systems and data exposed to a wide array of cyber threats.

In recent years, Cambodia has witnessed an uptick in cyber incidents, including phishing campaigns, Distributed Denial of Service (DDoS) attacks, and malware targeting both public and private sector organizations. To address these growing challenges, Cambodia must prioritize strengthening its cybersecurity capabilities by implementing robust policies, enhancing its threat intelligence framework, and building partnerships both regionally and globally. Establishing real-time threat intelligence sharing systems, both within the country and with international cybersecurity alliances will be critical to detecting and mitigating emerging threats. The development of public-private collaborations and cybersecurity education programs will also be essential in fostering greater awareness and resilience. These efforts, alongside the integration of advanced threat intelligence capabilities, are crucial to safeguarding Cambodia’s digital landscape against the increasingly sophisticated global cyber threat environment.

TRENDS IN THE CAMBODIA THREAT LANDSCAPE

RISE IN STATE-SPONSORED ESPIONAGE
Cambodia is increasingly targeted by state-sponsored threat actors, particularly from China and Russia, seeking geopolitical intelligence, government data, and economic secrets.

FOCUS ON CRITICAL INFRASTRUCTURE
Key sectors such as industrial conglomerates, government, and transportation are frequent targets, indicating a focus on disrupting critical services and stealing sensitive information.

INCREASED ATTACKS ON WEB APPLICATIONS
Web applications, being internet-facing, remain the most attacked technology (67%), followed by remote desktop software. Attackers are exploiting vulnerabilities to infiltrate organizations.

CYBERCRIME TARGETING SMEs AND FINANCIAL SERVICES
Cambodia’s small and medium enterprises (SMEs), often under-resourced in cybersecurity, face heightened risks from cybercriminals, especially in the financial services and e-commerce sectors.

SUPPLY CHAIN ATTACKS ON CRITICAL INFRASTRUCTURE
Cybercriminals are exploiting the weaker cybersecurity defenses of Cambodia’s SMEs, particularly those serving critical sectors like financial services, telecommunications, and energy. By targeting these smaller vendors, attackers gain access to larger, more secure organizations through trusted connections, bypassing their defenses. This growing trend highlights the risk of supply chain attacks on Cambodia’s critical infrastructure and major enterprises, as smaller, under-resourced partners provide an entry point for high-impact breaches.

DARKWEB ACTIVITY
There is a growing trend of stolen Cambodian data being sold on the dark web, indicating a surge in data breaches and increased activity in the underground cyber economy.

WHAT ATTRACTS CYBER THREAT ACTORS TO CAMBODIA?

RAPID DIGITAL TRANSFORMATION
Cambodia is undergoing significant digital transformation, with the growing use of online services in sectors such as finance, e-commerce, and government services. However, this growth often outpaces the development of robust cybersecurity measures, creating vulnerabilities that cyber threat actors can exploit.

WEAK CYBERSECURITY MATURITY
Cambodia’s cybersecurity infrastructure is still in its early stages, especially in rural and less-developed areas. A lack of comprehensive security policies, outdated systems, and under-resourced cybersecurity frameworks make Cambodian networks and organizations more vulnerable to attacks.

UNDER-RESOURCED SMEs
Small and Medium Enterprises (SMEs) play a vital role in Cambodia’s economy but often lack the resources to invest in cybersecurity. These businesses are easy targets for ransomware, data breaches, and phishing campaigns.

GEOPOLITICAL INTERESTS
Cambodia’s strategic location in Southeast Asia and its political alignment with countries like China can attract state-sponsored cyber threat actors. Espionage activities targeting government data, economic initiatives, and diplomatic communications are of interest to foreign intelligence agencies.

EXPANDING DIGITAL ECONOMY
Cambodia’s e-commerce and financial sectors are expanding rapidly, with a growing reliance on digital payments, online banking, and mobile financial services. This creates a target-rich environment for cybercriminals interested in fraud, identity theft, and financial data breaches.

FEW ADVANCED DETECTION CAPABILITIES
Many Cambodian organizations lack advanced security tools like intrusion detection systems, real-time monitoring, or incident response teams. This makes it easier for attackers to infiltrate systems undetected and maintain persistence within networks.

CRITICAL INFRASTRUCTURE VULNERABILITIES
Critical sectors such as energy, water, and telecommunications are in the process of digital upgrades, but often lack strong cyber resilience, attracting threat actors looking to disrupt essential services.

GEOPOLITICAL DYNAMICS AND CYBER THREATS IN CAMBODIA

Combodia’s geopolitical stance and its relationships with global powers profoundly influence its cybersecurity strategies.

CLOSE TIES WITH CHINA
Cambodia’s strong political and economic alignment with China exposes it to state-sponsored espionage, targeting government data, infrastructure projects, and key economic sectors. China’s influence could also lead to cyber-enabled influence operations aimed at shaping public opinion or political decisions.

ASEAN TENSIONS
Cambodia’s alignment with China creates friction within ASEAN, particularly regarding the South China Sea. Regional rivals may engage in cyber espionage to gather intelligence on Cambodia’s diplomatic stances and policies.

US AND WESTERN INFLUENCE
Cambodia’s strained relationship with the US and other Western nations, due to concerns over democracy and human rights, may make it a target for Western cyber espionage, particularly related to its dealings with China.

GROWING RUSSIAN PRESENCE
Russia’s increasing influence in Southeast Asia could bring with it both state-sponsored cyber espionage and cybercriminal activity, particularly in areas like ransomware and financial fraud.

CROSS-BORDER THREATS
Neighboring countries like Vietnam and Thailand may engage in cyber espionage due to political or territorial disputes, while cybercriminals could exploit Cambodia’s weaker cybersecurity infrastructure for cross-border attacks.

FOREIGN INVESTMENT RISKS
Cambodia’s reliance on foreign companies for infrastructure development, especially from China, raises the risk of supply chain attacks. International firms in Cambodia are also prime targets for cybercriminals.

TRENDS FROM THE DARK WEB – CAMBODIA

Targeted Industries observed in the APT Campaign – Cambodia

The chart represents the targeted industries observed in the APT campaign in Cambodia, based on data from 2024 Cyfirma early warning and Darkweb sources.

  • Industrial Conglomerates are the most targeted sector, accounting for 23% of the observed attacks.
  • Government institutions follow, comprising 15% of the targets.
  • Other sectors, each accounting for 8% of the attacks, include:
    • Textiles, Apparel & Luxury Goods
    • Diversified Financial Services
    • IT Services
    • Multiline Retail
    • Health Care Equipment & Supplies
    • Automobiles
  • Transportation Infrastructure and Aerospace & Defense sectors are also significant targets, each at 7%.

This distribution highlights a broad spectrum of industries being targeted, with a particular focus on critical infrastructure, government entities, and industrial sectors, suggesting a combination of economic espionage, infrastructure disruption, and intelligence-gathering efforts by APT groups.

TOP SUSPECTED THREAT ACTORS

Top Suspected Threat Actors Targeting Cambodia
Russia (75%): Russian state-backed groups are significantly involved, with notable actors being Cozy Bear (25%) and Fancy Bear (25%). These groups are known for conducting cyber espionage, particularly targeting government, defense, and infrastructure sectors. Additionally, TA505 (25%), although known for financial cybercrime, has been involved in high-profile attacks on critical infrastructure and sensitive industries.

China (25%): Chinese cyber threat actors also play a major role. The Leviathan APT group (25%) is one of the key Chinese-backed actors, often associated with espionage activities aimed at government, diplomatic, and industrial targets. This distribution suggests that Cambodia is targeted by both Russian and Chinese state-sponsored threat actors, focusing on espionage, critical infrastructure, and economic disruption. These actors are likely to exploit Cambodia’s geopolitical importance and relatively weaker cybersecurity defenses.

TOP ATTACKED TECHNOLOGY – CAMBODIA

The data shows that Web Applications account for the majority of attacks, comprising 67%, while Remote Desktop Software makes up the remaining 33%.

This significant focus on Web Applications is likely due to their internet-facing nature, making them more exposed and vulnerable to exploitation. Attackers often target web applications for vulnerabilities such as SQL injection, cross-site scripting (XSS), and authentication flaws to gain unauthorized access to sensitive data or disrupt services.

In contrast, Remote Desktop Software is also a major target, making up a third of attacks. This is often linked to attackers attempting to exploit weak remote access credentials or unpatched vulnerabilities to gain direct control over internal systems.

CAMPAIGNS TO DEFEND AGAINST

Here are some details about observed sample campaigns.

Malware Name Targeted Services/ Vulnerabilities Campaign Name Suspected Threat Actor Target Industries Target Geographies
Web Application, Remote Desktop Software mailman Leviathan Aerospace & Defense, Government, Industrial Conglomerates, Automobiles Cambodia, the United States, Japan, Philippines, Taiwan, the United Kingdom, Australia
FlawedAmmyy RAT, CosmicDuke, Zeus Bot, or Zbot Web Application Evian Fancy Bear,TA505,Cozy Bear Health Care Equipment & Supplies, Multiline Retail, Industrial Conglomerates, IT Services, Diversified Financial Services, Textiles, Apparel & Luxury Goods Myanmar, Singapore, Cambodia, the United States, Japan, Philippines, Malaysia, Thailand, Brunei, Canada, South Korea, Vietnam, Belgium, Timor-Leste, Australia, France, Laos, Germany, Indonesia

THREAT ACTORS TO WATCH

Leviathan (APT 40)

TA505, Cozy Bear, Fancy Bear

Patchwork (Dropping Elephant)

NOTABLE THREAT ACTORS TO WATCH

Leviathan (APT 40)
ORIGIN: CHINA
Activities
APT40, also known as Leviathan, is an APT that has been linked to the Chinese government, specifically to the Chinese Ministry of State Security (MSS). APT40 has been active since 2013 and the group is recognized for its state-sponsored espionage campaigns. The APT group is known for targeting regions and industries of strategic importance to China. APT40 focuses heavily on the Asia-Pacific region, particularly countries involved in maritime disputes or those with significant geopolitical relevance.

APT29 (also known as Cozy Bear)
ORIGIN: RUSSIA
Activities
APT29 is a Russian state-sponsored group linked to intelligence operations. While their primary focus has been on entities in the United States and Europe, there is limited public information about their activities in Cambodia. Given their global reach and interest in diplomatic and governmental data, Cambodian institutions involved in international affairs may be at risk of targeting by APT29.

APT28 (also known as Fancy Bear)
ORIGIN: RUSSIA
Activities
Associated with Russia’s military intelligence agency (GRU), APT28 is known for cyber espionage and disinformation campaigns. Although there are no widely reported incidents of APT28 targeting Cambodia specifically, their broad focus on government, military, and security organizations suggests that Cambodian entities within these sectors should remain vigilant against potential threats.

TA505
ORIGIN: BELIEVED TO BE FROM RUSSIA OR EASTERN EUROPE
Activities
TA505 is notorious for its extensive malicious email campaigns, which distribute banking Trojans and ransomware like Locky and Dridex. The group targets a wide range of industries globally, including finance, retail, and healthcare. While there are no prominent reports of TA505 attacks in Cambodia, the group’s global operations suggest that Cambodian entities should be aware of their threat.

Patchwork (Dropping Elephant)
ORIGIN: BELIEVED TO BE FROM INDIA
Activities
Patchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and government agencies, recently they added businesses to their list of targets. Patchwork’s moniker is from its notoriety for rehashing off-the-rack tools and malware for its campaigns. The attack vectors they use may not be groundbreaking—what with other groups exploiting zero-days or adjusting their tactics—but the group’s repertoire of infection vectors and payloads makes them a credible threat.

I-SOON LEAKS – CHINESE CONTRACTOR

  • On February 18th, an anonymous user posted on GitHub over 500 files (178MB) leaked from i-SOON. They contained promotional materials, internal documents, contracts and targets, and internal communication revealing some victims and the company’s capabilities.
  • Countries targeted based on the documents include Hong Kong, Taiwan, South Korea, India, Pakistan, Kazakhstan, Kyrgyzstan, Thailand, Malaysia, Mongolia, Myanmar, Nepal, Rwanda, Vietnam, Indonesia, Cambodia, Nigeria, Egypt, and Turkey, also, very likely the USA, the UK, and NATO.
  • Leaked documents provided evidence of a contract hacking business inside mainland China. Various ”technology services” boutique shops are not too dissimilar from the Israeli NSO Group behind the infamous Pegasus spyware.
  • The leak also confirmed the existing trade of tools between various hacking groups and businesses in mainland China. i-SOON was buying tools from Infamous MISSION2025 aka APT41 known for developing Winnti and PLugX.
  • i-SOON is not only a hackers-for-hire business, they also provide intelligence collection and espionage services utilizing physical access.

DATA LEAKS

Data leaks play a crucial role in the landscape of cyber threats, acting as a significant vulnerability that can lead to a wide range of security issues and potential damages. When sensitive or confidential information is accidentally exposed or intentionally stolen and released, it can lead to identity theft, financial fraud, and a severe loss of trust and reputation for the affected organization. Such leaks often provide cybercriminals with the necessary data to conduct more targeted and effective attacks, such as phishing schemes, ransomware attacks, or further unauthorized access into secure systems. Additionally, data leaks can result in hefty regulatory fines and legal challenges, especially if the leaked information includes personally identifiable information (PII) protected under data privacy laws.

CYFIRMA observed a leaked database incident involving over 852,000 records from a website of a University leaked by a threat actor. The database uses MariaDB (version 10.3.39), and the credentials are tied to a server and database. This incident seems to be a retaliatory attack, potentially in response to the treatment of Cambodian hackers by Indonesia, as indicated by the message. It highlights potential cyber conflicts and retaliatory actions.

CYFIRMA observed 243 MB of data from the Cambodian government’s website.

CYFIRMA observed a potential data leak from the Occupational Medical Partners website under the Ministry of Labor and Vocational Training. The exposed data includes highly sensitive information, such as Khmer National Identity Card Numbers, file numbers, names in both Khmer and Latin scripts, dates of birth, gender, and registration details. This database contains over 124,680 entries.

HACKTIVIST

The Quantum of DDoS attacks increased globally after the start of the Russia-Ukraine war when pro-Russian and pro-Ukraine hacktivists started targeting each other and alliance nations to show support to their respective countries.

CYFIRMA observed numerous hacktivist collectives actively marketing and distributing unauthorized access credentials to various Cambodian government entities via Telegram channels. Such activities significantly heighten the risk to national security by potentially facilitating unauthorized data access and systems manipulation.

ASSET EXPOSURES & VULNERABILITIES

Most Exploited Vulnerabilities in Cambodia – Last 3 Months
Exploited Vulnerabilities Vendor Product
CVE-2014-8361 Realtek Realtek SDK
CVE-2015-2051 D-Link D-Link DIR-645, DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
CVE-2017-9841 PHPUnit – Sebastian Bergmann PHPUnit
CVE-2018-10562 Dasan Dasan GPON Home Router
CVE-2021-42013 Apache Apache HTTP Server
CVE-2016-6277 Netgear NETGEAR R/D Series Routers
CVE-2024-27198 JetBrains TeamCity
CVE-2024-28995 SolarWinds SolarWinds Serv-U
  • All the observed exploited vulnerabilities in the above list are also part of the CISA Known Exploited Vulnerability list.
  • As per CISA, the following vulnerabilities are exploited by Ransomware Groups as well: CVE-2018-10562, CVE-2021-42013, and CVE-2024-27198.