RedJuliett Cyber Surveillance Operation Affects 75 Taiwanese Entities
A probable China-linked government-backed threat actor has been associated with a cyber espionage operation aimed at governmental, academic, technological, and diplomatic institutions in Taiwan during the period from November 2023 to April 2024.
Insikt Group from Recorded Future is monitoring the campaign with the codename RedJuliett, characterizing it as a group that functions from Fuzhou, China, to aid Beijing’s intelligence gathering objectives concerning the East Asian nation. It is also identified by the aliases Flax Typhoon and Ethereal Panda.
Along with Taiwan, the collective has also targeted other nations including Djibouti, Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the U.S.
As many as 24 victim organizations have reportedly been seen communicating with the malicious infrastructure of the threat actor, including governmental agencies in Taiwan, Laos, Kenya, and Rwanda. The campaign is also believed to have focused on at least 75 Taiwanese bodies for wider reconnaissance and subsequent exploitation.
“The collective targets internet-facing devices such as firewalls, load balancers, and corporate virtual private network VPN products for initial entry, in addition to trying structured query language SQL injection and directory traversal exploits against web and SQL applications,” the firm highlighted in a recent report.
As previously pointed out by CrowdStrike and Microsoft, RedJuliett is recognized for using the open-source software SoftEther to channel malevolent traffic out of compromised networks and utilize living-off-the-land (LotL) strategies to remain undetected. The group is presumed to have been active since at least mid-2021.
“Furthermore, RedJuliett employed SoftEther to manage operational infrastructure consisting of both servers controlled by the threat actors rented from virtual private server VPS providers and compromised infrastructure owned by three Taiwanese universities,” Recorded Future stated.
After successfully gaining initial access, the hacker deploys the China Chopper web shell to sustain persistence, alongside other open-source web shells like devilzShell, AntSword, and Godzilla. Some cases also involved the exploitation of a Linux privilege escalation flaw referred to as DirtyCow (CVE-2016-5195).
“RedJuliett is likely focused on gathering intelligence regarding Taiwan’s economic strategies and trade, as well as its diplomatic ties with other nations,” the report stated.
“RedJuliett, akin to several other Chinese threat actors, is presumably exploiting vulnerabilities in internet-facing devices due to their limited visibility and lack of effective security measures, which has proven to be an efficient means for initial entry.”
About Author
