Up next in 10
The Digital Frontline: Hacktivists, Proxies, and the AI-Driven Border War
Sep 25, 2025
This episode examines the rapid escalation of the Cambodia–Thailand military conflict into cyberspace, driven by 19 distinct nationalist hacktivist groups, including AnonSecKh/BL4CK CYB3R and Keymous, starting immediately after physical clashes in July 2025. These groups leveraged low-complexity tactics like website defacements and mass Distributed Denial-of-Service (DDoS) attacks—which spiked activity by 241%—often utilizing credentials found in public stealer logs for unauthorized access to government and corporate systems. We analyze how this digital conflict integrates sophisticated Information Operations (IO) employing fake accounts and exaggerated claims, reflecting a growing global trend where threat actors utilize AI tools like WormGPT and jailbreaking methods to automate attacks and influence operations. Sponsor: www.cisomarketplace.com (http://www.cisomarketplace.com)
View Video Transcript
0:00
Welcome to the deep dive. We're here to
0:01
cut through the noise, analyze the
0:03
sources, and give you the crucial
0:05
insights instantly. Today, we're diving
0:07
into something, well, pretty defining
0:09
for modern geopolitics. It's how quickly
0:11
physical disputes like border fights
0:14
just instantly spill over into cyerspace
0:16
and the chaos, the risk that creates. It
0:19
can actually far outweigh the uh the
0:21
physical conflict itself. We're focusing
0:24
on a specific flash point. Thailand and
0:26
Cambodia back in July and August of
0:29
2025. It's really a perfect, if kind of
0:32
terrifying example of how nationalistic
0:34
feelings can ignite immediate, damaging
0:37
digital warfare, often driven by proxy
0:39
forces and uh often mixed up with a lot
0:42
of deception.
0:42
Exactly. We've been digging into a
0:44
pretty detailed threat intelligence
0:45
report from that time. And we've layered
0:47
in the regional policy context, too. So,
0:48
the mission for you listening in isn't
0:50
just to grasp the mechanics of these
0:52
cyber clashes. It's really to see the um
0:54
the deep instability this mix creates.
0:57
You know, real damage blended with
0:58
outright fraud, especially for a region
1:00
trying so hard to build digital trust.
1:02
Okay, let's set the scene first. The
1:04
physical side. What actually triggered
1:06
this in late July 2025? Well, reports
1:09
were coming in about intense border
1:11
fighting. Thai and Cambodian forces
1:14
focused in Thailand's provinces like
1:16
Sissot, Surin, Burham, and uh Trat.
1:19
We're talking continual reports of
1:21
explosions, gunfire, pretty serious
1:24
stuff. Serious enough that martial law
1:26
was actually declared down in trap
1:27
province.
1:28
And yeah, this wasn't just random
1:29
skirmishing. It tapped into some really
1:31
deep-seated historical issues,
1:33
specifically Cambodia's claim over
1:35
Kokud. That's an island currently
1:37
controlled by Thailand, very near
1:39
Cochang, a big tourist spot. Yeah.
1:41
So, when you get military clashes mixed
1:43
with these potent national symbols, the
1:45
digital reaction is well instantaneous.
1:47
Yeah.
1:48
And very aggressive.
1:48
Right. And what makes this case stand
1:50
out, I think, is the timing. Because
1:52
this whole flare up happened shortly
1:53
after these major regional talks, talks
1:56
aimed at securing the very digital space
1:58
these attacks were hitting.
1:59
Exactly. Just a few months before in
2:00
January 2025, the fifth AEAN digital
2:04
ministers meeting, ADGMA, and had
2:06
wrapped up right there in Bangkok.
2:07
And what came out of that meeting? What
2:08
were they trying to achieve?
2:10
Well, the goals were ambitious and they
2:12
felt urgent. leaders like Malaysia's
2:15
minister in digital Gabin Singo were
2:17
really stressing this critical need. The
2:19
need for Ashan to um develop and deploy
2:23
consistent digital and cyber security
2:26
standards across the board fast. A big
2:28
driver was building trust, you know, a
2:31
trusted digital environment. Yeah.
2:33
Especially for tricky new areas like
2:35
artificial intelligence governance.
2:37
And the money involved really highlights
2:38
why this security, this trust is so
2:41
vital. Ashen's aiming to more than
2:43
double its digital economy. They're
2:45
shooting for what? Two trillion dollars
2:47
by 2030.
2:48
Staggering number.
2:49
Yeah. And that goal, it completely
2:51
depends on things like regional systems
2:53
working together, stability, mutual
2:55
trust, all the things that get blown up
2:56
the second a border dispute turns into a
2:58
digital free-for-all like this.
3:00
Absolutely. And to try and protect that
3:02
$2 trillion ambition, Malaysia took the
3:04
lead on some key projects at ADGMI in
3:07
2025. They announced the Azen AI safety
3:10
network focusing on deploying AI safely
3:12
across the region and crucially they
3:14
also agreed to spearhead the development
3:17
of the Azian cyber security cooperation
3:19
strategy for 2026 to 2030 which is you
3:22
know a long-term plan specifically meant
3:24
to build a resilient secure cyerspace.
3:27
So you have leaders talking about AI
3:29
safety networks, complex five-year
3:31
strategies, and then just weeks later,
3:33
practically they're dealing with like
3:35
low-level groups using old password
3:36
lists to try and crash government
3:38
websites. That gap, that gap between the
3:40
highle plans and the immediate digital
3:42
reality, that feels like the real story
3:44
here.
3:44
It really does. It just shows how
3:45
fragile the whole digital setup is when
3:47
national tensions spike.
3:49
Okay, before we get into who these
3:50
digital combatants actually were, let's
3:52
pause for a moment to thank our sponsor.
3:54
This deep dive is brought to you by
3:56
www.seomarketplace.com.
4:00
Look, if you're trying to simplify your
4:02
security strategy, maybe cut through the
4:04
sales noise and connect directly with
4:06
leading cyberc vendors, check them out.
4:08
That's www.seomarketplace.com.
4:12
Think of it as your shortcut to building
4:14
a more resilient defense, which, as
4:16
we're about to see, is absolutely
4:18
crucial when conflicts like this just
4:20
erupt out of nowhere. All right, let's
4:22
unpack this digital side then. The
4:24
shooting might have paused, but the
4:26
digital proxy war just ramped up. And
4:28
we're not talking sophisticated state
4:29
sponsored spies here, right? We're
4:31
mostly talking activists
4:32
primarily. Yes. Group IB, the source
4:34
we're drawing on, tracked an incredible
4:36
19 active activist groups just in that
4:38
intense twoe window, July 24th to August
4:40
7th.
4:41
19 groups in two weeks. Wow. Was it
4:43
balanced?
4:44
Slightly tipped, actually. They found 11
4:46
groups identified as pro Cambodia and
4:48
eight as pro Thailand. But here's the
4:49
really critical part. 14 of those 19
4:52
groups basically popped up after the
4:53
broader tension started rising back in
4:55
May 2025.
4:56
Ah, so they weren't lying dormant. They
4:58
formed in response.
4:59
Exactly. It shows just how fast
5:01
nationalist feelings once sparked by
5:03
military action can mobilize an um an
5:07
almost instant army of digital
5:09
volunteers or digital militia perhaps.
5:11
And how should we think about these
5:13
actors? The report called them what?
5:15
Largely opportunistic and
5:16
unsophisticated. That's the key phrase.
5:19
They weren't deploying zero days or
5:20
complex malware. Mostly they relied on
5:23
pretty basic stuff
5:23
like database attacks.
5:25
Dest. Yeah. Distributed denial of
5:27
service and simple website defacements.
5:30
You know, changing the homepage. The
5:32
main goal wasn't deep data theft
5:34
generally. It was about getting noticed,
5:36
causing disruption, maximum visibility.
5:39
So just to be clear, define patriotic
5:41
hacker in this context.
5:42
Right? In this scenario, it's someone
5:43
carrying out malicious digital acts
5:45
basically on behalf of their country
5:46
using readily available tools, often
5:48
lowcost ones. And crucially, they could
5:50
be acting with or without any kind of
5:52
nod from their actual government.
5:54
Self motivated.
5:55
Self-motivated. Yeah. Driven by
5:57
nationalism, patriotism, offering their
5:59
digital skills, such as they are, as
6:01
this kind of independent force.
6:03
And the numbers really show how
6:05
effective these simpler methods can be
6:07
for making noise. DOS attacks alone were
6:10
what about 31% of all the incidents they
6:12
track.
6:13
That's right. 109 separate DOS incidents
6:15
in just that twoe period.
6:17
It really is like the digital version of
6:19
just shouting slogans outside someone's
6:21
building. Annoying, disruptive, visible.
6:24
Precisely. And when you look at who they
6:26
were targeting, well, logically both
6:28
sides went after government and military
6:30
sites first. That makes sense. But it
6:32
spilled over really quickly. In
6:34
Thailand, they saw sustained attacks on
6:36
education and healthcare websites. You
6:38
know, hitting essential civilian
6:40
services.
6:41
Okay. And Cambodia.
6:42
For Cambodia, the targeting also
6:44
specifically included financial
6:46
services, trying to chip away at public
6:47
confidence in the economy, perhaps.
6:49
Okay. So, the pictures mostly activists
6:51
using fairly basic tools. But officials
6:54
on both sides started throwing around
6:56
accusations involving big state players,
6:58
right?
6:58
Oh, immediately. Thai officials were
7:00
suggesting Cambodia was getting help
7:02
from groups linked to North Korea. And
7:04
Cambodian authorities fired back,
7:06
accusing protey
7:09
Thai of major intrusions.
7:11
But yes, if the evidence points to these
7:13
opportunistic activists, why jump
7:16
straight to blaming North Korea? Is that
7:18
just politics trying to raise the stakes
7:20
internationally?
7:22
You absolutely hit the nail on the head
7:23
there. The critical finding from group
7:25
IB was clear. They found no verifiable
7:29
technical proof in the public domain to
7:31
back up claims of nation state groups
7:33
being involved in this specific fight.
7:35
So it's political spin.
7:36
It looks very much like a political
7:38
tactic. By mentioning powerful state
7:40
actors, even without proof, you elevate
7:42
what might be a minor border clash into
7:45
something that looks like a major
7:46
regional security crisis.
7:47
Right. Weaponizing the idea of cyber
7:49
warfare for diplomatic leverage.
7:51
Exactly. It confirms this was mainly a
7:54
activist-driven event, but one that was
7:56
immediately spun into a larger political
7:58
narrative. Okay, so that sets the stage
8:00
for the activist landscape. But then
8:02
things got well more interesting,
8:05
potentially more damaging. Let's talk
8:06
about the high-profile breach claims,
8:08
right? This is where we move beyond just
8:10
knocking websites offline and into
8:12
claims of serious data theft and
8:14
infiltration. Claims that, if true,
8:18
could be really destabilizing.
8:20
So, give us some examples. Where did it
8:21
look like maybe the attackers were a bit
8:23
more skilled even if they weren't
8:25
necessarily statebacked?
8:26
Well, one of the most striking claims
8:28
came from a pro Thailand group called
8:30
KEIS. They claimed they'd breached two
8:32
pretty critical Cambodian government
8:34
systems. One was the national vehicle
8:36
license plate system.
8:38
Okay, that's sensitive data.
8:39
Very. They alleged they exported over 3
8:41
million license plate records,
8:43
registration details, owner info
8:45
potentially. And to make it believable,
8:47
they offered this very specific proof, a
8:50
screenshot. It showed a 1993 Toyota
8:53
Camry registered in Fumpen.
8:55
Wow. That detail makes it feel real. It
8:58
makes the threat tangible to ordinary
8:59
people.
9:00
Exactly. It's designed to make the
9:01
public feel exposed, vulnerable. That's
9:03
a serious breach of public trust if
9:05
true. What about critical
9:07
infrastructure? Any claims there?
9:09
Yes. On the other side, a pro Cambodian
9:12
group, Cyber Kingdom, KH, claimed a
9:14
major hit against a prominent Thai
9:16
company, one involved in airport
9:18
management. Specifically, they said they
9:20
got into an admin console for something
9:22
called a Tibco Spotfire server.
9:25
What does that mean in practical terms?
9:27
Well, the files they posted seem to show
9:29
configuration details, system logs, even
9:33
network topology like the layout of the
9:35
airport's digital network, routing paths
9:38
for different systems. Now, if that
9:39
network information was genuine and
9:41
current, that's not just leaking data.
9:43
That's potentially handing over a
9:44
blueprint. A blueprint someone could use
9:46
to disrupt or even shut down physical
9:49
airport operations, travel, logistics.
9:51
Okay, that's a different level of threat
9:52
entirely.
9:53
It is. And the financial sector wasn't
9:55
immune either. Another pro Cambodian
9:57
group, Unknown SEC, claimed they'd
10:00
snagged customer credit card information
10:02
from a Thai financial institution.
10:04
So, hitting government, infrastructure,
10:06
finance, these claims seem almost
10:07
perfectly designed to undermine that
10:09
trust ASEAN is trying to build.
10:11
Precisely, whether they were entirely
10:13
true or not, the claims themselves so
10:16
chaos and doubt.
10:17
Which brings us neatly to the other side
10:19
of this coin, the deception factor.
10:22
Because in these chaotic situations,
10:24
not everything is what it seems.
10:26
Exactly right. This kind of environment
10:28
is absolutely ripe for fraud and
10:29
exaggeration. Activist groups are often
10:31
battling for attention, for influence as
10:34
much as they are for actual impact. So
10:36
you get this major problem of
10:38
exaggerated claims.
10:39
And we saw some really blatant examples
10:41
in this case, didn't we?
10:42
We did. There was one group BL4 CK CYB3R
10:47
claiming this huge government data leak.
10:49
Sounds traumatic, but then got exposed.
10:51
Their post was basically a word-for-word
10:53
copy of something an entirely different
10:55
unrelated actor called Kazu had posted
10:57
earlier.
10:58
Plagiarism in the cyber crime world
10:59
essentially. Yeah. And Kazu apparently
11:01
called them out publicly. BL4 CKCB3R
11:05
eventually had to admit on some dark web
11:07
form they were just trying to pull a
11:08
scam trying to get credibility or maybe
11:10
sell fake data.
11:11
Okay, so that's outright fraud. What
11:13
about just inflating the numbers?
11:15
Oh yeah, the classic exaggeration. We
11:17
saw that with a protide group, KH
11:18
Nightmare. They claim this absolutely
11:20
massive leak, 800 gigabytes of data from
11:23
71 different Cambodian government
11:25
organizations. Sounds devastating.
11:27
800 gigs is huge.
11:29
It is. But when analysts actually looked
11:31
at the data dump, it turned out to be
11:33
mostly old recycled credentials. You
11:36
know, URL login, password list, ulp
11:38
dumps, stuff that's probably been
11:39
circulating for ages, likely bought
11:41
cheap or scraped from previous unrelated
11:43
breaches.
11:44
So old news dressed up as a fresh
11:46
critical breach.
11:48
Exactly. They took old low-value data
11:50
and massively exaggerated its size and
11:53
significance to make a splash.
11:54
Okay, so we're dealing with this messy
11:56
landscape, some real low-level
11:58
disruption, some potentially serious
12:00
claims targeting critical systems, and
12:02
then outright scams and hype. If you're
12:05
an organization caught in the middle of
12:06
this, facing these opportunistic
12:08
attackers, what's the practical defense
12:10
strategy? Group IB had some advice,
12:12
right?
12:12
They did, and it's quite pragmatic. It
12:15
focuses on shoring up the basic
12:17
weaknesses these groups tend to exploit.
12:19
For DDOS, the big one, they recommend
12:21
redundancy, using multiple internet
12:23
service providers, so one getting hit
12:25
doesn't take you offline. Also, using
12:27
upstream filtering services to clean
12:29
traffic before it even reaches you. And
12:31
during active attacks, using features
12:33
like geencing,
12:34
geo fencing, blocking traffic from
12:36
outside your expected geographic
12:37
regions.
12:38
Right? If you're a Thai agency, maybe
12:40
block IPs from outside Southeast Asia
12:42
during a known attack wave. For website
12:45
defacements, the advice is pretty
12:46
standard cyber security hygiene. Keep
12:49
your content management systems, your
12:50
WordPress, your Drupal, keep them
12:52
updated, patch vulnerabilities, and use
12:54
a web application firewall, a way to
12:57
inspect traffic coming to your website
12:59
and block common attack pattern.
13:00
Okay, but hang on. If many of these
13:01
attackers are, as you said,
13:03
unsophisticated, using basic scripts,
13:05
maybe old passwords, do organizations
13:07
really need to spend on things like
13:09
multiple ISPs, fancy bouvs, complex geo
13:12
fencing, or is just doing the basics
13:14
good password policies timely patching
13:16
enough to stop say 90% of this stuff?
13:19
That's a really good question, and it
13:20
highlights the challenge for the high-v
13:22
value targets like that airport
13:24
management company or critical
13:25
government databases. Yes, the answer is
13:27
probably yes. They do need those robust
13:30
layered defenses because the potential
13:32
impact of a successful breach even by a
13:35
less sophisticated actor is
13:36
catastrophic. But for maybe the majority
13:39
of targets, those education sites,
13:41
smaller government agency pages, you're
13:43
right. A lot of it comes down to
13:45
fundamentals, especially against those
13:47
data leak claims fueled by old
13:48
credentials. What's the best defense?
13:51
monitoring for your own company's
13:52
credentials showing up in BR lists and
13:55
having strong enforced password
13:56
policies, making sure people aren't
13:58
reusing passwords, using multiffactor
14:00
authentication. In this kind of messy,
14:03
activistheavy environment, your internal
14:05
digital hygiene is often just as
14:07
important, if not more so, than your
14:09
fancy perimeter walls.
14:10
So, wrapping this deep dive up, it
14:12
really paints a clear picture of modern
14:14
conflict, doesn't it? Regional tensions
14:16
don't just stay physical anymore. They
14:18
instantly become digital warfare. And
14:20
the key takeaway maybe isn't just that
14:21
they use digital tools, but how these
14:24
proxy forces, these activists, they
14:26
weaponize disruption, sure, but also
14:29
disinformation, fraud. It makes it
14:31
incredibly hard to know what damage is
14:33
real versus what's just noise or a scam.
14:36
And that uncertainty, that erosion of
14:38
trust, that feels like the real
14:40
long-term risk here.
14:41
Absolutely. And the bigger picture here
14:43
is that you have the AEN region trying
14:44
to build this massive $2 trillion
14:47
trusted digital future while
14:49
simultaneously fighting off these
14:50
constant low-level but very high
14:52
visibility digital brush fires tied to
14:54
geopolitical spats. It just underscores
14:56
why that long-term ASEAN cyber security
14:58
cooperation strategy is so vital, but
15:00
also why it faces such huge media
15:02
practical challenges on the ground.
15:03
Which leads us perfectly into our final
15:06
provocative thought for you, the
15:07
listener, Chewon. We know proxy forces
15:10
like these are often used specifically
15:12
because they offer plausible deniability
15:14
to governments. So in this world of
15:16
escalating cyber tensions, how long can
15:18
international law stay fuzzy on this?
15:21
When does a so-called patriotic hackers
15:23
digital attack cross the line and become
15:25
an actual act of war? What scale of
15:27
disruption would it take? Would a
15:28
successful sustained attack knocking
15:30
out, say, a nation's entire airport
15:32
management system force the global
15:34
community to finally draw a clear,
15:36
unambiguous line in the sand? Something
15:38
to think about.
#Military
#World News