Skip to content

China’s RedJuliett group targets multiple entities in 10 countries

  • by
  • 3 min read

Chinese state-sponsored group RedJuliett, operating out of Fuzhou, Fujian province, targets the government, education, technology, and diplomatic organisations in Taiwan, Hong Kong, Malaysia, Laos, the Philippines, South Korea, Kenya, Rwanda, Djibouti, and the United States.

The group’s primary targets seem to be the Taiwanese government, industry, think tanks, and civil society organisations. Researchers identified 75 organisations that have been potential victims of the RedJuliett espionage. Furthermore, researchers also discovered 24 organisations that are already communicating with the threat actor’s servers.

RedJuliett has focused on exploiting known vulnerabilities in network edge devices such as firewalls, virtual private networks (VPNs), and load balancers to gain initial access. This strategy aligns with the group’s historical patterns and strategic objective of gathering intelligence on Taiwan’s economic policies, trade dynamics, and diplomatic relations.

RedJuliett attack chain. | Source: Recorded Future

The threat actor’s technical arsenal includes deploying SoftEther VPN bridges or clients within victim networks, enabling secure and persistent access. The group conducted reconnaissance and exploitation attempts using Acunetix Web Application Security Scanners alongside SQL Injection and directory traversal techniques.

Post-exploitation, RedJuliett employed open-source web shells and exploited privilege escalation vulnerabilities in the Linux operating system to maintain and extend its foothold within compromised networks.

“RedJuliett compromised government organisations in Taiwan, Laos, Kenya, and Rwanda. The group also target the technology industry in Taiwan, including an optoelectronics company, a large Taiwanese facial recognition company that has held contracts with the Taiwanese government, and four software companies,” said researchers.

Furthermore, the group targeted multiple universities, including three in Taiwan, one in the United States, and one in Djibouti. An interesting phenomenon noticed by the researchers was that the group also targeted religious organisations in Taiwan, Hong Kong, and South Korea. Finally, a geological engineering company in Hong Kong, a Taiwanese waste and pollution treatment company and a publishing house were also attacked.

Sectors targeted by Chinese RedJuliett threat actors. | Source: Recorded Future

Additionally, the group targeted aerospace companies, development institutes, computing industries, and civil society organisations, including media, charities, and NGOs, that focused on human rights.

“Most recently, Insikt Group observed RedJuliett attempt SQL injection, directory traversal, and other exploits targeting web applications of target entities in multiple cases. In a small number of cases, we observed the group conduct post-exploitation activity using the open-source web shells devilzShell and AntSword and exploiting the Linux elevation of privilege vulnerability DirtyCow (CVE-2016-5195,” noted researchers.

Researchers noted that Fuzhou falls within the People’s Liberation Army (PLA) Eastern Theatre Command, which focuses heavily on Taiwan. The area is also home to various regional civilian and military organisations in China.

The group’s activities align closely with Beijing’s broader objectives to monitor and influence Taiwan’s technological advancements and diplomatic engagements. The targeting of critical technological companies underscores the significance of Chinese state-sponsored cyber operations.

Recently, a massive Chinese-supported scam operation in Myanmar was dismantled, questioning the country’s ethics. Taiwan has been a primary target of China for decades, and groups like Flax Typhoon have already been exposed to surveillance and data exfiltration in Taiwan in the past.

In the News: EU flags Apple for preventing customers from cheaper third-party options

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>