Cyber Espionage Campaign RedJuliett Targets 75 Taiwanese Entities

June 24, 2024

A cyber espionage campaign named RedJuliett, believed to be orchestrated by a state-sponsored threat actor with links to China, has been observed infiltrating various sectors in Taiwan. This activity, which spanned from November 2023 to April 2024, has been monitored by Recorded Future's Insikt Group. The group identified RedJuliett as a cluster operating out of Fuzhou, China, likely supporting Beijing's intelligence collection goals concerning Taiwan. The campaign is also known by the names Flax Typhoon and Ethereal Panda.

Other countries that have been targeted by this adversarial collective include Djibouti, Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the U.S. In total, about 24 victim organizations were found to be communicating with the threat actor's infrastructure. These organizations include government agencies in Taiwan, Laos, Kenya, and Rwanda. It's estimated that at least 75 Taiwanese entities have been targeted for broader reconnaissance and subsequent exploitation.

The modus operandi of the group includes targeting internet-facing appliances such as firewalls, load balancers, and enterprise virtual private network (VPN) products for initial access. They also attempt structured query language (SQL) injection and directory traversal exploits against web and SQL applications, according to a report published by the company.

As documented by CrowdStrike and Microsoft, RedJuliett employs the open-source software SoftEther to tunnel malicious traffic out of victim networks. It also uses living-off-the-land (LotL) techniques to avoid detection. The group is believed to have been active since at least mid-2021. RedJuliett also used SoftEther to manage operational infrastructure that includes both threat actor-controlled servers leased from virtual private server (VPS) providers and compromised infrastructure belonging to three Taiwanese universities.

Upon gaining initial access, the group deploys the China Chopper web shell to maintain persistence. They also use other open-source web shells like devilzShell, AntSword, and Godzilla. In some cases, they exploited a Linux privilege escalation vulnerability known as DirtyCow (CVE-2016-5195).

The primary interest of RedJuliett is likely collecting intelligence on Taiwan's economic policy, trade, and diplomatic relations with other countries. Like many other Chinese threat actors, RedJuliett targets vulnerabilities in internet-facing devices, as these devices often have limited visibility and security solutions, making them an effective way to gain initial access.

Latest News

• CosmicSting Vulnerability Threatens Majority of Adobe Commerce and Magento Websites
• Active Exploitation of SolarWinds Serv-U Path-Traversal Vulnerability
• Security Flaw in Phoenix SecureCore UEFI Affecting Multiple Intel CPUs Unveiled
• Chinese Cyber Espionage Campaign Targets Telecom Operators in Asia
• Chinese Cyber Espionage Group UNC3886 Exploits Fortinet and VMware Zero-Days