Chinese RedJuliett Exploiting Firewalls, VPNs, & Load Balancers

A suspected Chinese state-sponsored cyberespionage group, RedJuliett, targeted the Taiwanese government and academic, technological, and diplomatic organizations between November 2023 and April 2024. 

They exploited vulnerabilities in firewalls, VPNs, and load balancers to gain initial access to victim networks, likely originating from Fuzhou, China, which aligns with China’s interest in Taiwan and suggests an attempt to gather intelligence on Taiwan’s economic and diplomatic affairs, as well as technological advancements. 

Targets of RedJuliett

It has intensified its attacks on the Taiwanese government, academic, and technological institutions, as it has been identified that the campaign targets these sectors from November 2023 to April 2024.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

RedJuliett’s strategy involved network reconnaissance and attempted exploitation, with a focus on compromising VPN access points. This strategy aligns with the group’s past activities and demonstrates an expansion beyond Taiwan, with targets identified in Hong Kong, Southeast Asia, South Korea, the US, and Africa. 

A suspected Chinese state-sponsored threat actor employed a multi-pronged attack strategy against Taiwanese targets by exploiting vulnerabilities in internet-facing devices (firewalls, VPNs) to gain initial access. 

Beyond these vulnerabilities, RedJuliett leveraged SQL injection and directory traversal techniques to compromise web applications and databases. To mitigate these attacks, organizations should prioritize routine patching and implement defense-in-depth strategies. 

These strategies should focus on identifying lingering malicious presences, uncovering compromised systems, and stopping lateral movement within the network. 

It is also recommended that businesses conduct regular audits of devices connected to the Internet to reduce their potential attack surface. 

overlaps with public reporting

RedJuliett, a cyberespionage group, compromised 24 organizations, including government entities across Taiwan, Laos, Kenya, and Rwanda, by targeting over 70 additional organizations in Taiwan, including academic institutions, government agencies, think tanks, and technology companies, for reconnaissance or attempted infiltration. 

Their methods involved creating SoftEther VPN access points within victim networks, utilizing Acunetix scanners for vulnerability discovery, and exploiting weaknesses like SQL injection and directory traversal. 

After gaining initial access, RedJuliett deployed open-source web shells and leveraged a Linux privilege escalation vulnerability to maintain persistence and potentially escalate privileges.  

According to the Insikt Group, the company’s operations are carried out through a combination of self-controlled leased servers and compromised infrastructure from Taiwanese universities.  

This infrastructure is managed through SoftEther VPN, a tool that allows the group to tunnel malicious traffic out of victim networks, whose targets include government agencies and critical technology companies in Taiwan, aligning with China’s goals of collecting intelligence on Taiwan’s economic and technological advancements.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.