Warning: Cyber attacks have been used to create hatred against Cambodians

A warning report regarding cyber-attacks issued by the Thailand Telecommunications Sector CERT (TTC-CERT) has been tampered with, and prejudiced opinions have been inserted to fuel animosity towards the Cambodian population.

On July 3, 2023, TTC-CERT released a warning report titled “Alert: DDoS Attacks Targeting Various Sectors in Thailand”, revealing a cyber-operation named “OpThailand”, believed to be orchestrated by a group of hackers based in Cambodia. The groups involved in this operation include “Anonymous Cambodia,” “K0LzSec,” “CYBER SKELETON,” and “NDT SEC.” The attack was allegedly motivated by dissatisfaction with the construction of a Buriram province temple, which resembles a Cambodian temple structure.

TTC-CERT revealed crucial information about an ongoing cyber operation that commenced around June 29, 2023. The operation’s primary objective is to target both public and private websites in Thailand, utilising a method known as Distributed Denial of Service (DDoS) attacks. According to TTC-CERT’s findings, the perpetrators have threatened to pilfer sensitive data from the targeted government agencies and private organisations and expose it to the public.

TTC-CERT, or Thailand Telecommunications Sector CERT, was established in 2020 through the collaboration of the National Broadcasting and Telecommunication Commission(NBTC), the Telecommunications Association of Thailand under the Royal Patronage (TCTA), and nine private telecommunications companies, including CAT Telecom, TOT, CS Loxinfo, DTAC TriNet,  Triple T Broadband, True Internet, and Advanced Wireless Network. TTC-CERT serves as a central coordination and information exchange hub for cybersecurity, tasked with handling and mitigating cyber threats that may arise in the telecommunications industry.

Messages posted on Telegram announcing the so-called “OpThailand” by Anonymous Cambodia.

On July 5, 2023, the YouTube channel “Thailand and The World” broadcasted a video featuring the warning report issued by TTC-CERT. The footage, lasting over 8 minutes, was titled “Cambodian Hackers Launch Cyber Attack on Thailand! -, Dissatisfaction over Replicating Cambodian Design.”

The video’s narrator deliberately inserted content and comments aimed at inciting hatred towards Cambodians, accusing the cyber operation as a reaffirmation of a longstanding historical animosity where Cambodians do not view Thais in a positive light, influenced by a narrative propagated by the Cambodian government. Furthermore, the narrator suggested that this cyber operation might be related to issues concerning the smuggling and bribery of Cambodian illegal migrant workers in Thailand.

The content in the video mentioned above also calls for the Thai government and employers to “reduce their support for Cambodian workers” while simultaneously advocating for heightened surveillance and monitoring of Cambodian individuals within Thailand.

As of July 12, 2024, the video, uploaded on the YouTube channel “Thailand and The World,” has garnered over 123,000 views and received more than 1,400 comments, most of which express negative sentiments towards Cambodian individuals.

This video has further been shared across various platforms, including Twitter, Facebook, and TikTok. For instance, it has been disseminated on the Facebook page “Tourlong,” which frequently posts content related to Thailand and neighbouring countries, particularly Cambodia, with the intention of inciting negative feelings between the two parties.

Cofact’s findings:

 Cofact has investigated the claims regarding the cyber operation “OpThailand,” which a particular social media group used to highlight and foster hatred towards Cambodian people. These claims were based on the warning report issued by TTC-CERT regarding the cyber attacks and an interview with Mr Pissut Mungsamai, the Technical Lead of TTC-CERT, on July 11, 2023.

The investigation concludes the following:

Who are these hackers?

Currently, TTC-CERT is speculating that “a group of hackers from Cambodia might carry out the OpThailand” operation. This speculation is based on the group’s identification as “Anonymous Cambodia” and their use of both Khmer and English languages to communicate on the messaging app Telegram, where they strategise and provide updates on their activities. However, TTC-CERT has not found concrete evidence linking these hackers to the Cambodian government, suggesting they are not government-affiliated.

Mr. Pissut further mentioned that cybersecurity experts face difficulties in determining the hackers’ physical locations through device IDs or IP addresses because the hackers use compromised devices, commonly known as “hacked” devices, sourced from multiple locations. Over 700 IP addresses have been identified as sources of “bot” commands used to carry out attacks on specific websites owned by Thai government agencies and private companies. As a result, it is challenging to trace the attackers solely based on IP addresses.

The hackers have targeted multiple countries.

TTC-CERT has discovered that the hacker group responsible for “OpThailand” did not exclusively target websites in Thailand. They have conducted similar cyber attacks in several other countries, such as Indonesia, Malaysia, and India, without specifically targeting particular organisations or agencies. Instead, the hackers seize on any contentious issue in a country and use it as a pretext to launch their attacks. In the case of Thailand, the group cited dissatisfaction with the construction of a temple in Thailand that resembled the famous Cambodian-style architecture as their motivation.

According to Mr Pissut’s explanation to Cofact, these hackers do not exclusively focus on attacking Thailand but continuously exploit vulnerabilities in any organisation’s website with weaknesses or opportunities for attacks.

The temple referenced by the hacker group is known as “Wat Phumaanfa” or “Wat Prabhat Sila,” located in Nang Rong district, Buriram province. The construction commenced in 2019. However, in 2021, Cambodian social media users posted content claiming that the temple’s design bore a resemblance to Cambodian-style architecture. The temple’s head monk clarified to the media that the design was a product of artistic imagination, incorporating features from different ancient sites.

The comparison image features Wat Phumaanfa in Buriram province, Thailand, and Angkor Wat in Siem Reap province, Cambodia, which has been circulated among Cambodian social media users. The image has also been utilised by the hacker group as a pretext for their OpThailand operation.

OpThailand’s latest updates

TTC-CERT has found preliminary evidence indicating that the hacker group employed Distributed Denial of Service (DDoS) attacks against the websites of various government and private organisations. These targeted entities include the Comptroller General’s Department of the Ministry of Foreign Affairs, Praboromarajchanok Institute, Thai Airways International, U-Tapao–Rayong–Pattaya International Airport Bangkok Bank, and TISCO Bank. The hackers have also disclosed information obtained from a private company’s website. In their most recent claim on July 8, 2023 (Thai calendar), the group boasted a successful attack on a university’s website and announced their intention to carry out another operation in early August 2023. Until now, TTC-CERT has obtained valuable information from the targeted organisations, including details about the DDoS attack methods, Traffic Logs, and IP Addresses. This information is crucial for monitoring and preventing future attacks on other entities.

Summary by Cofact

1. The video titled “Cambodian Hackers Launches Cyber Attack on Thailand! – Dissatisfaction over Replicating Cambodian Design”, currently circulating on social media, contains both factual content from TTC-CERT’s warning report and opinion-based content, including speculations and interpretations to incite negative sentiments towards Cambodian by the content creator. Viewers should differentiate between the factual information and the opinions presented. For accurate information on the OpThailand cyber operation, the original reports by TTC-CERT should be referenced.

2. The TTC-CERT warning report and the interview with the technical lead of TTC-CERT indicate that the OpThailand cyber operation is the work of a single hacker group and is not representative of all Cambodian people. Using TTC-CERT’s report to incite negative emotions towards Cambodian people as a whole is not aligned with the facts.

3. The hackers behind this operation have targeted multiple countries and organisations, not only focusing on Thailand, and there is no evidence suggesting the operation is solely driven by discontent over temple architecture imitation. The reference to this issue in the video serves to support the cyber operation rather than being a genuine motive.

4. The demands made in the “Thailand and The World” video, urging the Thai government, employers, and recruiters to reduce the hiring of Cambodian workers and increase surveillance on Cambodians in Thailand, are not directly supported by the factual evidence provided by TTC-CERT. There is currently no evidence linking the cyber operation to Cambodian labours in Thailand. Such statements in the video could lead to negative sentiments towards Cambodians in Thailand and potentially strain the bilateral relationship between the two countries in the long run.