A suspected China-backed state-sponsored threat actor was linked to the RedJuliett cyber espionage campaign that targeted various Taiwanese organisations, including government, academic, technology, and diplomatic organisations, since November 2023 and lasted until April.
This clustered cyber espionage campaign, which the researchers described as operating from Fuzhou, China, serves Beijing’s intelligence-gathering campaign, which would give them an advantage in their ambitions regarding East Asian countries.
Other targeted countries include Djibouti, Laos, Malaysia, the Philippines, Rwanda, South Korea, Hong Kong, Kenya, and the United States.
As of now, up to 24 victim organisations have been spotted engaging with the threat actor infrastructure, including government institutions in Taiwan, Laos, Kenya, and Rwanda. It is also believed to have targeted at least 75 Taiwanese entities for wider surveillance and exploitation.
According to a new report published earlier this week, the group attempts to gain initial access to internet-facing appliances such as firewalls, load balancers, and enterprise virtual private network VPN products, as well as structured query language SQL injection and directory traversal exploits against web and SQL apps.
The RedJuliett campaign uses open-source software that would allow it to deploy malicious traffic.
According to investigations, the RedJuliett cyber espionage campaign uses the open-source software SoftEther to tunnel malicious traffic off target networks and LotL tactics to bypass security detection.
The researchers explained that RedJuliett used SoftEther to direct operational infrastructure consisting of attacker-controlled servers chartered from virtual private server VPS providers and compromised infrastructure allegedly owned by three Taiwanese universities.
Subsequently, the China Chopper web shell is deployed to establish persistence, along with other open-source web shells such as devilzShell, AntSword, and Godzilla—a few cases involved using a Linux CVE-2016-5195 privilege escalation vulnerability, also known as Dirty Cow.
Experts agree that this cyber espionage campaign’s primary mission is to collect intelligence on Taiwan’s economic policy and trade and diplomatic relations with other countries, given the growing tension within the region.
Lastly, RedJuliett, like many other Chinese threat actors, is most likely targeting vulnerabilities in internet-facing devices, which have poor visibility and security solutions, and targeting them has shown to be an effective strategy to scale initial access.
