Cyber Threat Report: 'Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation'

This report by Recorded Future's Insikt Group details activity by RedJuliett between November 2023 and April 2024. RedJuliett, also known by aliases Flax Typhoon (Microsoft) and Ethereal Panda (CrowdStrike), is a suspected Chinese state-sponsored cyber-espionage group with operations dating back to mid-2021. Based in Fuzhou, Fujian Province, their activities align with China's strategic objectives, particularly targeting Taiwan amid sensitive cross-strait relations. According to the report, RedJuliett has focused on collecting intelligence from government, education, technology, and diplomatic entities, with additional targeting observed in regions including South East Asia, Africa, and the United States. Insikt Group analysts observed the group actively scanning for vulnerabilities and then exploiting internet-facing devices, such as VPNs, firewalls, and load balancers as well as using SQL injection and directory traversal exploits. Post-exploitation activities included deployment of web shells (e.g. devilzShell, AntSword), exploitation of Linux privilege escalation vulnerability DirtyCow (CVE-2016-5195). Notably, the group used SoftEther VPN to administer operational infrastructure, leveraging a combination of leased servers and compromised infrastructure belonging to three Taiwanese universities. Their frequent targeting of critical technology companies and government entities highlights a focus on intelligence supporting economic and geopolitical decision-making.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Application Isolation and Sandboxing

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Vulnerability Scanning

Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Update Software

Perform regular software updates to mitigate exploitation risk.

Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...

Pre-compromise

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

Threat Intelligence Program

A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Limit Access to Resource Over Network

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.