The Cambodia Daily | 7 April 2017
On March 7, activist monk Loun Sovath received a strange text message on his smartphone: a security confirmation code sent by Yahoo Mail, alongside a message asking him to reset his password.
The outspoken organizer had never requested a change.
He rushed to his computer, but it was too late: Hackers had reset the password for not only his email, but the Facebook account to which it was linked. A stranger was in control of a one-man media outlet with 60,000 followers.
Those fans had trouble understanding what was going on. Why was this longtime government critic now spewing vitriol at the opposition CNRP?
Loun Sovath tried to fight back by creating a new account featuring a tweaked display name and a profile photo captioned “Do Not Hack My Account.” But his online alter ego just mimicked his changes, re-sharing genuine posts from the newly-created page to sow further doubt.
“So many people were confused,” he said on Tuesday, still locked out of his account. The monk, however, was taking his digital alter ego in stride.
“It’s very funny they use it like this,” he said.
Beginning early last month and continuing through this week, hackers have conducted a spree of seemingly coordinated attacks against at least a dozen opposition lawmakers, activists and journalists, trying to access and often succeeding in hijacking email and social media accounts.
Victims include CNRP Vice President Eng Chhay Eang, opposition lawmakers Ho Vann and Mao Monyvann, and Boeung Kak activist Chan Puthisak.
Some victims said the hijacks occurred after they received account recovery text messages from Facebook, Google and Yahoo that they never requested, suggesting that hackers may have been able to see the contents of the confirmation messages using surveillance technology and then used them to reset passwords and take over the accounts.
If hackers have access to text messages—and a spate of leaks suggests that some do—experts say that millions of online accounts linked to Cambodian telephone numbers could be vulnerable.
Company representatives from Facebook, Google and Yahoo did not respond to requests for comment.
But activists and security experts say that the spate of attacks, whatever their perpetrators’ modes of infiltration, are just the latest broadside on personal privacy in a year marked by leaks, hacks and snoops.
“The meaning of privacy is increasingly thin in Cambodia, particularly for those perceived as critical of the government,” said Chak Sopheap, executive director for the Cambodian Center for Human Rights. “While citizens should be able to feel secure in the conduct of their personal communications and receive protection from both the state and ISPs [internet service providers], this does not reflect the Cambodian reality.”
The technology has also bruised the ruling party, with an anonymous hacker sending journalists thousands of text messages allegedly showing communications of 20 CPP-affiliated politicians, businesspeople and family members of Prime Minister Hun Sen last month.
An anonymous Facebook page titled Thleay, or “leaks,” also created last month, has posted documents and photographs, including what appears to be Hun Mana, Mr. Hun Sen’s eldest daughter, posing beside a bed with National Police chief Neth Savoeun.
The recent hacks have a simple cause, according to Loun Sovath: the intertwining of politics and the media.
“Facebook is strong. Stronger than TV, stronger than radio,” he said.
The popularity of Facebook pages critical of the government has threatened the CPP’s monopoly on older mass media, the monk argued, with an Asia Foundation survey published last year finding that the platform had surpassed television in popularity as a news source.
“Maybe the government cracked down to disturb the politics,” he said.
Interior Ministry spokesman Khieu Sopheak denied the accusation.
“Our government never—never—does anything that violates human rights,” he said, then paused. “Except for national security.”
Loun Sovath attends a Boeng Kak Lake protest in November 2011. (Lauren Crothers/The Cambodia Daily)
Although activists say the government has been tapping phones for years, an expansive new Telecommunications Law passed by the National Assembly in December 2015 gave privacy advocates chills.
The law “appears to create a power to secretly eavesdrop without any public accountability or safeguards to protect individuals’ right to privacy,” rights group Licadho wrote in an analysis released the following March.
The law grants the government broad scope to prosecute people for any electronic communication that it determines could fracture national security. It also bans listening to or recording communications without “legitimate authority,” without ever describing who might bestow such authority.
“Any private speech via telecommunications can no longer be considered truly private,” Licadho’s report says.
Those warnings soon proved prescient.
Just two months after the law was passed, the Facebook page of 25-year-old Phnom Penh manicurist Khom Chandaraty posted a number of audio clips that purported to be phone conversations between Ms. Chandaraty and then-deputy opposition leader Kem Sokha.
Ms. Chandaraty said her account had been hacked and initially denied that the conversations involved her. But the scandal quickly snowballed into a criminal case involving bribes and failed court appearances. Mr. Sokha was camped out at CNRP headquarters for more than six months, hiding out to avoid arrest, and five current and former rights workers were tossed behind bars, where they remain today.
Prime Minister Hun Sen later boasted of keeping extensive records of the alleged tryst, including passport information, plane tickets and even photos of the couple strolling through a Bangkok airport, all on his phone.
Over the last six months, another half-dozen CNRP officials saw what appeared to be their private phone conversations broadcast over Facebook. Visitors to the seemingly pro-CPP Facebook page “Sei Ha”—or to government-aligned Fresh News, which quickly picked up the recordings—heard then-CNRP President Sam Rainsy allegedly chatting up a waitress, and former opposition lawmaker Pen Sovann purportedly speaking to an underage girl in a recording posted just days after his death at age 80.
Mr. Hun Sen and his son Hun Manith were also swept up in leaks, with screenshots surfacing on Facebook allegedly showing both men speaking to popular social media provocateur Thy Sovantha at the end of last year.
Then, in early February and early last month, activists and popular CNRP sympathizers began losing control of their digital selves.
Kao Sophea, a photographer and administrator of Mr. Rainsy’s popular page, said his Facebook woes began early last month, when he received an unsolicited SMS from the company telling him to reset his password using a six-digit confirmation code.
Mr. Sophea was busy and ignored the message until a few hours later, when he attempted and failed to log in to his account.
“I’m sure someone hacked my account,” he said on Tuesday. “I think our country’s system to control social media is unsafe, when it’s so easy for private things to be hacked by someone.”
On Monday, a similar attack hit Ma Chettra, a photographer for Social Breaking News, a Facebook page that regularly publishes content critical of the government.
“I thought that someone tried to hack my Facebook when I got an email message from Facebook sending a six-digit code to me,” he said.
But the hackers were unable to breach either his email or social media accounts—likely, he said, because they were tied to a U.S. phone number.
And after CNRP youth activist Keatha Ngoeum had her Facebook and Google accounts hacked—both tied to her Cambodian phone number—she said she no longer links such numbers to her accounts.
“I’m feeling not safe on Facebook,” she said. “I don’t know when they will hack again.”
Cambodia has almost 4.8 million domestic Facebook users, according to the technology website Geeks in Cambodia, with most likely opting to open an account using a phone number rather than an email address.
Khom Chandaraty looks away from reporters while sitting in a car after being questioned at the Phnom Penh Municipal Court in April last year. (Siv Channa/The Cambodia Daily)
Any systematic breach of the country’s SMS communications, then, has the potential to affect millions of users, experts say.
Sean Sullivan, an adviser for the global security firm F-Secure, deemed it “quite plausible” that hackers could see text messages and use them to hijack accounts.
“There are numerous banking trojans that can catch SMS and forward them on,” he wrote in an email, referring to a breed of malicious software disguised to look benign that has targeted banking systems. “But in the case of an adversary with access to the telecom network, you wouldn’t even need a trojan on the target’s device.”
The security gap is a “well-known weakness” in the SMS-based authentication systems used by such companies, Mr. Sullivan said.
A local security expert, who asked to remain anonymous for fear of becoming a target, predicted continued attacks on opposition-aligned politicians and activists.
“SMS is not safe to recover Facebook or email accounts,” said the expert, who commented over an encrypted messaging app. “Like it or not, we are living in the digital world that we don’t like.”
CNRP spokesman Yim Sovann said last week the breaches in privacy were a concern for “the whole country,” not just his party, and said the party had limited tools to protect itself.
“We do not want to talk too much about what we are doing right now,” he said. “The law is violated, the constitution is violated. What can we do?”
CNRP Vice President Mu Sochua said the lack of independent courts and “arbitrary” investigations into the sources of the leaks prevented opposition members from filing legal complaints.
“It would be impossible to prevent leaks no matter how hard we tried,” she wrote in an email last week.
Both Mr. Sovann and Ms. Sochua subsequently announced that their Gmail accounts had been breached in Facebook posts earlier this week.
Naly Pilorge, director of Licadho, said the organization began training its staff and close partners in secure communications in 2011.
Local NGOs, activists, and even government officials had become much more cautious over the past decade and especially last the few years, she said, switching from phone lines to encrypted apps like WhatsApp and Signal.
Licadho stopped using phones almost entirely, Ms. Pilorge said.
“No one can do enough, partly because technology changes so fast,” she said. “Once in a while I send a text to let them know I’m alive.”
The government says it is taking the breaches seriously.
General Sopheak, the Interior Ministry spokesman, said the government was investigating the hacks, but he didn’t think there was enough evidence for a criminal complaint. He said a newly created cybercrime department would add to the ministry’s know-how.
“Sometimes the technology of the police is weaker than the technology of the culprit,” he said.
Meanwhile, Gen. Sopheak said Cambodia was urging the U.S. and other countries to help prosecute Facebook pages that distribute inflammatory cartoons and posts.
“We ask for their cooperation to investigate,” he said, but U.S. officials “say this is a freedom of expression.”
Experts say Cambodians need to do more to protect themselves.
The country’s high levels of software piracy, lack of trained professionals and limited knowledge of safe digital practices made it especially vulnerable to cybercrime, according to Keshav Dhakad, regional director of Microsoft’s digital crimes unit.
“Cambodia being an emerging market and with increasing adoption of IT but not sufficient awareness, knowledge & skills-sets to deal with cyber attack…makes the environment an easy target of cybercriminals,” he wrote in an email.
Other security experts advised removing Cambodian phone numbers tied to Google, Facebook and other accounts.
“The first thing I’d do is change my mobile device number and stop using SMS as a second factor,” wrote Matthew Pascucci, a New York-based privacy advocate and security blogger. “I’d let as many people know that using SMS as a second factor is now outdated and deemed insecure.”
Loun Sovath, the monk, said he no longer followed Facebook prompts on his new account asking him to enter his phone number.
“They control everything,” he said of the government. “They cannot control Facebook company, they cannot control Google company, but they can hack.”