Full Report
The AnonsecKh group, which goes by Bl4ckCyb3r on Telegram, claimed at least 73 attacks on Thai organizations in the two weeks following a May 28 incident in which a Cambodian soldier was killed in a skirmish with Thai forces.
Analysis Summary
# Incident Report: Hacktivist Campaign Against Thai Government and Private Entities
## Executive Summary
A Cambodian hacktivist group, AnonsecKh (Bl4ckCyb3r), launched a sustained campaign against Thai government, academic, and private sector entities following heightened border tensions. The primary impact involved service disruption due to DDoS attacks and website defacement, targeting nearly 73 organizations over two weeks, escalating after aggressive statements from the Thai military. Thai authorities have initiated legal action to identify and detain alleged perpetrators.
## Incident Details
- **Discovery Date:** Initial attacks claimed in March 2025; significant escalation noted after May 28, 2025.
- **Incident Date:** Campaign began in March 2025 and escalated in late May/early June 2025.
- **Affected Organization:** Multiple Thai government websites (including Ministry of Defense, Ministry of Foreign Affairs, Bangkok Metropolitan Administration), academic institutions, and manufacturing firms.
- **Sector:** Government, Education, Manufacturing.
- **Geography:** Thailand (Target), Cambodia (Attacker Origin, implied).
## Timeline of Events
### Initial Access
- **Date/Time:** Initial claims in March 2025; significant escalation followed the May 28, 2025, soldier fatality incident.
- **Vector:** Not explicitly detailed, but the nature of the attacks suggests targeting public-facing web services.
- **Details:** The group began by targeting Thai government websites in March, later expanding scope. Escalation occurred after June 6, 2025, when the Thai army stated readiness for military operations.
### Lateral Movement
- Not reported. The attacks were characterized by external, kinetic actions against public-facing assets (DDoS and defacement), not internal network infiltration.
### Data Exfiltration/Impact
- **Impact:** Website paralysis due to traffic flooding (DDoS) and modification of website content (defacement).
### Detection & Response
- **Detection:** The attacks were noted and reported by the cybersecurity firm Radware and tracked by Hackmanac.
- **Response Actions:** Thailand’s Cyber Crime Investigation Bureau (CCIB) reportedly stated awareness of the threats, and a court approved warrants for two alleged members for identification and detention.
## Attack Methodology
- **Initial Access:** Not specified (likely exploiting publicly accessible application layers).
- **Persistence:** Not applicable for immediate DDoS/Defacement campaigns.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Standard for DDoS/Defacement, relying on large-scale traffic floods to overwhelm defenses.
- **Credential Access:** Not explicitly mentioned.
- **Discovery:** Targets were likely selected based on public information related to the border dispute.
- **Lateral Movement:** Not performed.
- **Collection:** Not explicitly mentioned beyond targeting specific organizations.
- **Exfiltration:** Not the primary objective; focusing on disruption and protest.
- **Impact:** Denial of Service and Defacement.
## Impact Assessment
- **Financial:** Not quantified, but DDoS attacks result in lost productivity and potential costs for mitigation.
- **Data Breach:** No explicit large-scale data exfiltration reported, though website defacement indicates unauthorized content modification.
- **Operational:** Paralyzing servers for affected government and private-sector websites.
- **Reputational:** Negative impact on the targeted Thai entities' online presence.
## Indicators of Compromise
- **Network indicators:** Attack traffic likely originating from Botnets or coordinated sources (Defanged examples: `C2_IP_ADDRESS_1`, `Attacker_ASN_range`).
- **File indicators:** None specific reported (Defacement payload details missing).
- **Behavioral indicators:** Massive volumetric traffic floods targeting official web servers; content modification of official web pages.
## Response Actions
- **Containment:** Response actions were focused on law enforcement/judicial measures rather than technical containment of an internal breach; Thai authorities sought to identify and detain alleged actors.
- **Eradication:** Not currently applicable as the threat (the hacktivist group) remains active, although specific compromised systems would require cleaning after successful DDoS mitigation.
- **Recovery:** Restoring service availability to targeted websites.
## Lessons Learned
- **Key Takeaways:** Geopolitical incidents rapidly translate into high-volume hacktivist cyber activity targeting national infrastructure and key economic sectors (manufacturing).
- **What could have been done better:** Proactive scaling of DDoS mitigation capabilities ahead of expected escalations based on political signaling.
## Recommendations
- Implement robust, scalable DDoS protection services across all critical government and strategic private-sector websites.
- Enhance monitoring for politically motivated or hacktivist chatter related to the border dispute.
- Review and strengthen the security posture of websites belonging to the Ministry of Defense, Ministry of Foreign Affairs, and key industrial targets.