A suspected state-backed threat group associated with China has conducted a sophisticated cyber espionage campaign targeting a wide array of organizations in Taiwan from November 2023 to April 2024.
The Insikt Group from Recorded Future has identified this activity under the codename RedJuliett, describing it as a cluster based in Fuzhou, China, with objectives aligned to Beijing’s intelligence gathering strategies concerning Taiwan. This campaign has also been identified under aliases such as Flax Typhoon and Ethereal Panda.
In addition to Taiwan, the group has also focused its efforts on other nations including Djibouti, Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the United States.
The threat actor infrastructure has been observed interacting with up to 24 victim organizations, including governmental bodies in Taiwan, Laos, Kenya, and Rwanda. The campaign specifically targeted at least 75 Taiwanese entities for reconnaissance and subsequent exploitation.
“The group’s primary focus lies on internet-facing devices such as firewalls, load balancers, and enterprise VPN products for initial infiltration. They utilize techniques such as SQL injection and directory traversal exploits against web and SQL applications,” stated the latest report by the company.
As previously detailed by CrowdStrike and Microsoft, RedJuliett employs SoftEther, an open-source software, to redirect malicious traffic out of compromised networks and uses living-off-the-land (LotL) tactics to evade detection. The group has been operational since at least mid-2021.
“In addition, RedJuliett has utilized SoftEther to manage operational infrastructure consisting of servers controlled by threat actors, rented from virtual private server (VPS) providers, and compromised infrastructure from three Taiwanese universities,” noted Recorded Future.
Following successful infiltration, the group deploys the China Chopper web shell to maintain persistent access, alongside other open-source web shells such as devilzShell, AntSword, and Godzilla. Instances have also involved exploiting the DirtyCow Linux privilege escalation vulnerability (CVE-2016-5195).
“RedJuliett appears keen on gathering intelligence related to Taiwan’s economic policies, trade activities, and diplomatic relationships with other nations,” the report added.
“Similar to other Chinese threat actors, RedJuliett targets vulnerabilities in internet-facing devices due to their limited visibility and the scarcity of effective security measures, making them an efficient entry point for initial access.”