Redjuliett

RedJuliett, a Chinese state-sponsored threat group, has been implicated in persistent espionage attacks on approximately 75 organizations since 2023. This information was reported by Insikt Group, the threat research arm of Recorded Future. The targeted organizations span across government, academic, and technology sectors in various countries. RedJuliett's modus operandi includes exploiting vulnerabilities in network edge devices such as firewalls, virtual private networks, and load balancers to gain initial access. The group also leverages an open-source VPN client, SoftEther, to target infrastructures. Taiwan is currently grappling with a surge of cyber-espionage attacks from RedJuliett. As of June 24th, the group has attacked 24 different Taiwanese government agencies, educational institutions, and technology firms. The activities of RedJuliett align with China's strategic objectives to gather intelligence on Taiwan's economic policy, trade, and diplomatic relations. The group has also compromised organizations in Laos, Kenya, and Rwanda. Furthermore, RedJuliett is known to overlap with other threat groups known as Flax Typhoon and Ethereal Panda. Insikt Group predicts that RedJuliett and other Chinese state-sponsored threat actors will persistently target Taiwan for intelligence gathering, focusing on universities, government organizations, think tanks, and technology companies. RedJuliett operates its infrastructure using SoftEther VPN, utilizing both threat actor-controlled leased servers and compromised infrastructure belonging to Taiwanese universities. In addition to exploiting vulnerabilities in internet-facing devices, the group also uses SQL injection and directory traversal exploits against web and SQL applications. It is recommended to monitor Malicious Traffic Analysis (MTA) to proactively detect and alert on infrastructure communicating with known RedJuliett command-and-control (C2) IP addresses.