RedJuliett, a likely China-linked state-sponsored threat actor, has conducted an extensive cyber espionage campaign targeting government, academic, technology, and diplomatic organizations in Taiwan from November 2023 to April 2024. Tracked by Recorded Future’s Insikt Group, the campaign also extends its activities to other countries including Djibouti, Hong Kong, Kenya, and South Korea. The group primarily targets internet-facing appliances and employs sophisticated techniques such as SQL injection and exploiting vulnerabilities in enterprise VPN products and web applications for initial access.
Recorded Future’s report highlights that as many as 24 victim organizations, including government agencies in Taiwan, Laos, Kenya, and Rwanda, have communicated with RedJuliett’s infrastructure. The threat actor has targeted at least 75 entities in Taiwan alone for broader reconnaissance and potential follow-on exploitation. RedJuliett’s operational infrastructure includes both threat actor-controlled servers and compromised infrastructure from Taiwanese universities, managed through tools like SoftEther for tunneling malicious traffic and maintaining persistence using web shells like China Chopper and DevilzShell.
The group’s tactics also involve exploiting known vulnerabilities such as DirtyCow (CVE-2016-5195) for Linux privilege escalation. These activities are part of RedJuliett’s broader goal to gather intelligence on Taiwan’s economic policies, trade relations, and diplomatic interactions. The campaign reflects a strategic approach by Chinese threat actors to target vulnerabilities in internet-facing devices, leveraging their limited visibility and security solutions to scale initial access effectively.
Reference:
