Threat Research

Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation

RecordedFuture

Insikt Group identifies RedJuliett, a likely Chinese state-sponsored group, intensifying cyber-espionage against Taiwanese government, academic, technology, and diplomatic targets from November 2023 through April 2024 by exploiting vulnerabilities in internet-facing devices and VPN infrastructure. The operation expanded geographically and employs web application exploits, web shells, and post-exploitation techniques, with defense-in-depth and monitoring recommended to detect and counter these activities. Hashtags: #RedJuliett #SoftEther #Acunetix #F5BIGIP #FortinetFortiGate #ZyXELZyWALL #Taiwan

Keypoints

  • RedJuliett targeted Taiwanese government, academic, technology, and diplomatic organizations, compromising 24 entities and probing over 70 others in Taiwan.
  • The group exploited vulnerabilities in internet-facing devices and used web application exploits, including SQL injection and directory traversal.
  • Post-exploitation activity included open-source web shells and privilege escalation on Linux systems.
  • Infrastructure relied on SoftEther VPN, with both actor-controlled leased servers and compromised university infrastructure.
  • Operations expanded to Hong Kong, Malaysia, Laos, South Korea, the United States, Djibouti, Kenya, and Rwanda.
  • Recommendations emphasize defense-in-depth, regular auditing of internet-facing devices, network segmentation, monitoring for web shells and lateral movement, and risk-based patching.

MITRE Techniques

  • [T1583.003] Acquire Infrastructure: Virtual Private Server – Used to obtain infrastructure resources as part of operations. “Resource Development: Acquire Infrastructure: Virtual Private Server”
  • [T1584] Compromise Infrastructure: Server – Used to establish and control server-based infrastructure. “Resource Development: Compromise Infrastructure: Server”
  • [T1595.002] Active Scanning: Vulnerability Scanning – Performed reconnaissance to identify exploitable weaknesses. “Reconnaissance: Active Scanning: Vulnerability Scanning”
  • [T1190] Exploit Public-Facing Application – Gained initial access by abusing exposed applications. “Initial Access: Exploit Public-Facing Application”
  • [T1133] External Remote Services – Maintained persistence via remote services exposed to external networks. “Persistence: External Remote Services”
  • [T1505.003] Server Software Component: Web Shell – Used web shells as a persistence mechanism on servers. “Persistence: Server Software Component: Web Shell”
  • [T1068] Exploitation for Privilege Escalation – Escalated privileges to deepen access and move laterally. “Privilege Escalation: Exploitation for Privilege Escalation”

Indicators of Compromise

  • [IP Address] Active RedJuliett servers as of May 21, 2024 – 38.147.190.192 (since 2024-04-07), 61.238.103.155 (since 2024-02-23), and 6 more IPs
  • [Certificate fingerprint] SoftEther TLS Certificates (SHA-1) – 7992c0a816246b287d991c4ecf68f2d32e4bca18, 5437d0195c31bf7cedc9d90b8cb0074272bc55df, and 5 more hashes
  • [Domain] Domains – cktime.ooguy[.]com, www.sofeter[.]ml, www.dns361[.]tk

Read more: https://www.recordedfuture.com/redjuliett-intensifies-taiwanese-cyber-espionage-via-network-perimeter