The Thai-Cambodian War of Cyber Attrition: Implications for ASEAN

Between 28 May and 10 June, the Cambodian hacktivist group AnonSecKh (also known as ANON-KH or Bl4ckCyb3r) claimed responsibility for 73 politically motivated distributed denial-of-service (DDoS) attacks targeting Thai government bodies, military institutions, and key private sector players. Roughly 30 per cent of the attacks were aimed at government websites, with 26 per cent focusing on military infrastructure. Similarly, a Thai hacker group, BlackEye-Thai, has allegedly attacked nearly all the Cambodian government’s online systems since mid-July, while KH Night Mare had recently leaked 800GB worth of data on Cambodian government officials, claiming that it had gained full access to the Cambodian government’s top secret servers.

These actors exploit the anonymity inherent in cyberspace to launch attacks that align with state interests while preserving a layer of plausible deniability for their patrons. This tactic blurs the line between state and non-state responsibility, complicating attribution and the ability to hold perpetrators to account. Nonetheless, the inability to hold perpetrators to account has not stopped both sides from trading accusations, as seen in Cambodia’s recent claims of Thai hackers targeting their governmental websites and Thailand’s allegations of Cambodian operations using North Korean cyber assets. Against this backdrop, Thailand has reportedly established a round-the-clock “cyber war room” to monitor and mitigate attacks linked to the border conflict, collaborating with military and cybersecurity agencies to contain disruptive activities and counter disinformation campaigns allegedly emanating from Cambodian sources.

While the use of cyber operations is not a unique phenomenon during interstate conflicts – cyberattacks have been a common occurrence during the ongoing Russia-Ukraine conflict, for instance – cyberattacks between countries in Southeast Asia are rare. The exchange of cyberattacks between Thailand and Cambodia not only complicates ongoing diplomatic efforts for de-escalation but also exposes the uncomfortable reality that elsewhere in Southeast Asia, cross-border animosities amid state fragility and resource constraints can potentially snowball into cyber-related “grey zone” operations – activities just below the threshold of all-out warfare.

Cyberattacks on government portals, financial systems and especially critical infrastructure can have crippling consequences for the public. They can also undermine trust in government, especially when used in combination with malicious information operations by the adversary. Given such implications, it is crucial that aggressors be held to account.

ASEAN’s ability to translate legal frameworks into enforceable mechanisms remains limited as the region’s principle of non-interference, coupled with uneven cyber capabilities among member states, constrains collective action.

However, current international legal frameworks are inadequate for regulating conduct in cyberspace of both state and non-state actors during international disputes. While there is broad agreement that the principles of the UN Charter, international humanitarian law (IHL), and human rights treaties extend to cyber operations, critical thresholds, such as what constitutes “use of force” in cyberspace or when a cyber operation qualifies as an “armed attack”, remain unresolved and hotly contested in international legal discourse. Also, current international law as applied to cyberwarfare predicates state responsibility on clear attribution; in the case of cyber operations conducted via proxies or hacktivist groups, this state-centric legal framework falters. Even principles like due diligence, which oblige states to prevent harmful cyber operations emanating from their territory, are limited in effect unless bilateral intelligence-sharing and technical cooperation arrangements exist for a state to alert another when a cyber intrusion emanates from the latter’s territory – mechanisms that could be undermined when interstate conflict emerges.

Efforts like the Tallinn Manual (and its subsequent iterations), which seeks to interpret how existing international laws apply to cyber operations, are non-binding. Regional arrangements, such as the ASEAN Checklist for the Implementation of the Norms of Responsible State Behaviour in Cyberspace, are similarly constrained by their non-binding nature and lack of verification protocols. The checklist also lacks discussion on cyber conduct during an interstate dispute or tension among ASEAN member states. The result is a legal and normative vacuum. The lack of dispute resolution mechanisms or technical confidence-building measures in the ASEAN region exacerbates this vulnerability.

Looking ahead, ASEAN faces both opportunities and constraints in operationalising forward-looking cyber initiatives. Through its ASEAN Cybersecurity Cooperation Strategy and sectoral bodies like the ASEAN Ministerial Conference on Cybersecurity (AMCC), ASEAN could adapt select principles from the Tallinn Manual into a regional code of conduct that reflects Southeast Asia’s specific geopolitical and capacity realities. However, ASEAN’s ability to translate these legal frameworks into enforceable mechanisms remains limited as the region’s principle of non-interference, coupled with uneven cyber capabilities among member states, constrains collective action.

Nevertheless, ASEAN should take pragmatic steps to gradually close the gap between aspirational legal norms and operational realities. One approach is to maximise the utilities of the ASEAN Regional Computer Emergency Response Team (CERT), which was launched and hosted in Singapore in 2024, to serve as a regional hub for cybersecurity cooperation, enhancing coordination and information-sharing among member state CERTs while building capacity, fostering partnerships, and promoting collective resilience against cyber threats. However, these measures do not explicitly address circumstances in which there are state or non-state cyberattacks between member states. To address this shortcoming, the ASEAN CERT could be used to develop voluntary, yet transparent, confidence-building measures tailored to ASEAN’s geopolitical context. Activities may include coordinated public attribution statements or information-sharing protocols that could help establish patterns of responsible behaviour. Even in the absence of binding enforcement mechanisms, such initiatives can incrementally foster a culture of accountability and reduce the strategic ambiguity exploited by state-backed threat actors. They would not only improve situational awareness but also lay the groundwork for coordinated responses to cyber incidents, even when state responsibility is difficult to prove.

ASEAN’s success may not lie in mirroring Western legal frameworks, but in crafting its own hybrid approach to managing cyber conflicts in its neighbourhood. As the Thailand–Cambodia case demonstrates, amid legal ambiguity, non-state cyber actors can weaponise cyberspace to inflict immeasurable social and economic damage long after guns cease firing.

2025/269