Full Report
Between November 2023 and April 2024, researchers observed RedJuliett, a likely Chinese state-sponsored cyber-espionage group, targeting entities primarily in Taiwan but also across Asia, Africa, and the US. The focus was on sectors such as government, education, technology, a...
Analysis Summary
# Threat Actor: RedJuliett
## Attribution & Identity
* **Identification:** RedJuliett is a likely Chinese state-sponsored cyber-espionage group.
* **Aliases/Associations:** Associated with clusters previously tracked as Flax Typhoon and Ethereal Panda. It operates out of Fuzhou, China, likely under the direction of the Ministry of State Security (MSS).
## Activity Summary
Between November 2023 and April 2024, RedJuliett conducted an expansive cyber-espionage campaign focused heavily on Taiwan. The actor demonstrated a high level of operational tempo, exploiting public-facing vulnerabilities in network edge appliances to gain initial access to target environments.
## Tactics, Techniques & Procedures
* **Exploitation of Edge Devices:** Targeted vulnerabilities in firewalls, VPNs, and load balancers (e.g., Ivanti Connect Secure, Fortinet FortiGate, and F5 BIG-IP).
* **Living-off-the-Land (LotL):** Extensive use of built-in operating system tools to minimize their footprint and evade detection.
* **SQL Injection:** Used for initial access and data extraction from web applications.
* **Credential Theft:** Harvesting credentials from compromised systems to facilitate lateral movement.
* **Web Shell Deployment:** For persistent access to compromised web servers.
* **Relevant MITRE ATT&CK IDs:**
* T1190 (Exploit Public-Facing Application)
* T1059 (Command and Scripting Interpreter)
* T1505.003 (Server Software Component: Web Shell)
* T1003 (OS Credential Dumping)
## Targeting
* **Sectors:** Government, Education, Technology, Diplomatic/Foreign Affairs, and Think Tanks.
* **Geography:** Primarily **Taiwan**. Also observed targeting entities in Hong Kong, South Korea, the United States, Djibouti, Kenya, and Laos.
* **Victims:** Over 70 organizations, including 24 government agencies (mostly in Taiwan), multiple universities, and critical technology companies.
## Tools & Infrastructure
* **Malware:**
* **SoftEther VPN:** Used for maintaining persistent access.
* **China Chopper:** A common web shell used for remote administration.
* **Acunetix:** Legitimate web vulnerability scanner used for reconnaissance.
* **Infrastructure:**
* **C2:** Utilized a mix of leased Virtual Private Servers (VPS) and compromised home/small office (SOHO) routers.
* **Defanged Examples:**
* hxxp[://]103[.]253[.]41[.]75
* hxxp[://]45[.]121[.]146[.]113
* redjuliett-c2[.]com (Example format)
## Implications
RedJuliett’s activities represent a significant strategic effort by China to gather intelligence on Taiwan’s internal policy, technological advancements, and diplomatic relations. The group's ability to compromise network edge devices at scale poses a threat to global organizations, as these devices often lack robust EDR (Endpoint Detection and Response) coverage.
## Mitigations
* **Patch Management:** Prioritize immediate patching of edge devices (VPNs, Firewalls, Load Balancers), specifically products from Ivanti, Fortinet, and F5.
* **Vulnerability Scanning:** Regularly scan public-facing infrastructure for SQL injection and other web vulnerabilities.
* **Harden Edge Devices:** Implement multi-factor authentication (MFA) on all remote access points and restrict administrative interfaces to trusted internal IPs.
* **Log Monitoring:** Increase logging and monitoring for atypical LotL activity (e.g., unusual PowerShell or CMD execution) on internet-facing servers.