Cyber EspionageLinked to Chinese State Actors Targets Taiwan’s Institutions
A cyber espionage campaign, likely orchestrated by a China-linked state-sponsored threat actor, has been reported to target various sectors in Taiwan, including government, academia, technology, and diplomatic organizations, from November 2023 to April 2024. This operation, monitored by Recorded Future’s Insikt Group under the name RedJuliett, highlights ongoing tensions and intelligence-gathering efforts aligned with Beijing’s strategic interests in East Asia.
RedJuliett is identified as a cluster of malicious activity originating from Fuzhou, China, aiming to support the Chinese government’s intelligence operations regarding Taiwan. The group has also been referred to by other aliases, including Flax Typhoon and Ethereal Panda. In addition to Taiwan, RedJuliett’s activities have extended to various nations such as Djibouti, Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the United States, indicating a broad scope of interest from this adversarial collective.
Throughout the analyzed timeframe, it is estimated that as many as 24 organizations have interacted with the infrastructure linked to RedJuliett, notably including government entities from Taiwan, Laos, Kenya, and Rwanda. The group is believed to have targeted at least 75 Taiwanese organizations for extensive reconnaissance operations, laying the groundwork for subsequent exploitations.
Insights from Recorded Future reveal that RedJuliett employs a variety of tactics to gain initial access to target organizations. The group focuses on internet-facing devices, including firewalls, load balancers, and enterprise virtual private network (VPN) systems. They have utilized techniques such as structured query language (SQL) injection and directory traversal attacks to compromise web and SQL applications. These methods align with the MITRE ATT&CK framework, particularly under the tactics of initial access and exploitation of vulnerabilities.
Notably, RedJuliett has historically used open-source software like SoftEther to facilitate data tunneling from compromised networks while employing living-off-the-land techniques to evade detection. CrowdStrike and Microsoft have indicated that this group has been active at least since mid-2021, leveraging their technical skills to establish a foothold in their targets’ networks.
After successfully infiltrating a system, RedJuliett utilizes tools like the China Chopper web shell to ensure persistence. Additionally, they have deployed other open-source web shells, including devilzShell, AntSword, and Godzilla. Occasional instances of exploiting the well-known Linux privilege escalation vulnerability "Dirty Cow" (CVE-2016-5195) have also been recorded, further showcasing their versatile approach to maintaining access.
The ongoing operational strategy of RedJuliett seems focused on gathering intelligence related to Taiwan’s economic policies and its diplomatic relations with other entities. Like many Chinese cyber actors, RedJuliett appears to target vulnerabilities in devices exposed to the internet, as these systems often have limited visibility and security measures in place. This strategy has proven effective for enabling initial access and further exploitation.
In response to allegations, the Ministry of Foreign Affairs in China has characterized the reports of cyber espionage as "fabricated disinformation," emphasizing the complexity of attribution in cyber operations. This assertion reflects the broader geopolitical narrative surrounding cybersecurity, where accusations can often escalate tensions between nations.
As businesses and organizations continue to navigate the evolving landscape of cyber threats, a keen awareness of these tactics can empower them to strengthen their cybersecurity measures and reduce their risk of exposure to similar campaigns in the future.
