Anonymous Cambodia: The OPSEC disaster
On the 30th August, 2012, a group of police officers met outside a local minimart near Riverside in Phnom Penh, Cambodia. Their mission was to raid and arrest anakata in his apartment located nearby as requested by Swedish authorities.
A group of hacktivists that calls itself NullCrew was quick to revenge carrying out attacks under the suitably chosen name: “Operation TPB”. On the 2nd September, 2012, they began leaking documents, usernames and passwords from Cambodian computer systems. They attacked the Cambodian Ministry of Public Works, the Institute of Standards, the general taxation department and the military. NullCrew’s attacks hit the local media and this is where the story about Anonymous Cambodia begins.
Most likely inspired by the press coverage of NullCrew’s attacks the Cambodian branch of Anonymous was formed. They adopted NullCrew’s OpTPB and on 12th September, 2012, the day after anakata landed in Sweden, it was reported that Anonymous Cambodia had broken into and leaked sensitive data extracted from the Cambodian Ministry of Foreign Affairs and defaced its website calling for anakata’s release.
The Cambodian branch went silent for a while only to wake up ready for the national elections held in July, 2013. They began defacing sites to spread their political message and DDoSing those that they could not deface accusing the ruling party of electoral fraud. Their mission was to topple the government lead by the Cambodian People’s Party which has ruled the country with an iron fist since the fall of Pol Pot and the Khmer Rouge regime.
“Because he has no formal training and uses programming scripts created by others, he said that he is a ‘script kiddie’ and not a true hacker.”
Less than two weeks before the election Anonymous Cambodia made their grand mistake. They participated in an interview with The Phnom Penh Post in which one of their members, “Black Cyber”, revealed personal information about himself and his agenda. In an interview with The Cambodia Daily he relied on “blacked-out webcam and computer software to distort his voice for fear that the call would be intercepted by U.S. intelligence agencies”.
Black Cyber was portrayed as a twenty-something IT security consultant who had become involved in Anonymous by participating in Operation Payback targeting pro-copyright, anti-piracy organizations and payment processors which had withdrawn banking facilities from WikiLeaks, similar to the attacks which would later be carried out as revenge for the arrest of The Pirate Bay founder anakata. Black Cyber denied involvement in OpTPB.
The interview given by Black Cyber provided excellent profiling data for law enforcement agencies. He revealed the size of Anonymous Cambodia and claimed that three people had participated in attacks against the National Election Committee. Jao Kamsot, another individual who was interviewed for the article, said that he is a script kiddie and not a true hacker.
“I don’t think their group has many people, and we will wipe it out.”
Immediately after the interview given by Black Cyber the Cambodian Ministry of Interior Department of Security began collaborating with the United States’ FBI in an investigation against Anonymous Cambodia. On 7th April, 2014, 21 year old Bun Khing Mongkul Panha, known online as Black Cyber, was arrested together with 21 year old Chou Songheng, alias Zoro.
The pair was charged with cyber crimes conducted against 30 government websites including the National Election Committee, Ministry of Foreign Affairs, Ministry of Defense, Anti-Corruption Unit and Phnom Penh Municipality. They were charged with unauthorized access to an automated data processing system, obstructing the functioning of an automated data processing system and fraudulent introduction, deletion or modification of data. Black Cyber confessed immediately.
On 22nd April, 2014, an individual calling itself “Attacker Fiber” created a Facebook page named after the group vowing revenge and posting YouTube videos showing how to conduct DDoS attacks. He used the page to market his own page (Attacker-Fiber) on which he advertised “Website Security Learning to be Anonymous” [sic] including SQL injection, defacement and backdoor techniques for $100 per course. He also set up a site titled “Cambodia Security” advertising the same services and posting guides for trivial things such as XAMPP installation.
On 29th April 2014 Anonymous Cambodia claimed on its Facebook page that they had breached the site belonging to the Anti-Corruption Unit promising further attacks. Dim Chaoseng, the lawyer defending the members of Anonymous Cambodia arrested earlier, expressed his concerns saying: “All the activity that Anonymous is doing at the moment is not going to help my clients. It is going to get more difficult to release my clients on bail.”
“…he said using a blacked-out webcam and computer software to distort his voice for fear that the call would be intercepted by U.S. intelligence agencies.”
Only days after the claimed attacks against the Anti-Corruption Unit, on 1st May 2014, two additional (unnamed) members of Anonymous Cambodia were arrested and charged with disrupting the ACU using the moniker Game-Over-xX23xX.
Angered by the four arrests, on the 4th May 2014, the group attacked the Royal Gendarmerie, Ministry of National Defense and CamCERT (Cambodia Computer Emergency Response Team) demanding the release of their “comrades”. Military Police spokesman Kheng Tito was quoted saying: “I don’t think their group has many people, and we will wipe it out.”
On 4th June Attacker Fiber, a 17 year old boy named Chin Neangleangmeng, became the 5th arrested member of Anonymous Cambodia. He confessed immediately.
Since the arrest of Attacker Fiber the small but very cocky group has been very quiet online. Anonymous Cambodia is now held in Prey Sar Prison in Phnom Penh, which was built for 500 inmates but was reportedly the home of 3,000 inmates in 2011, and they will most likely stay there until the authorities figure out how to punish them as Cambodia is currently lacking many internationally common cybercrime laws to regulate hacking and DDoS attacks.