Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia
Chinese Hackers Caught Spying on Taiwanese Firms
Espionage Group Used SoftEther VPN Client to Exploit Targeted NetworksA Chinese state-sponsored group tracked as RedJuliett is using open-source VPN client SoftEther to target the infrastructure of about 75 organizations in government, academic and technology sectors in multiple countries. Most of the attacks appear to target Taiwan.
See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction
Recorded Future's threat research arm Insikt Group said Monday the cyberespionage group managed to compromise 24 organizations, including an optoelectronics company, a facial recognition company, a waste and pollution treatment company, a publishing house, three universities and four software companies in Taiwan between November 2023 and April 2024.
The group also conducted network reconnaissance and attempted exploitation at eight universities and 11 government agencies, including those focused on Taiwanese economic policy; public sector organizations in Taiwan, Laos, Kenya and Rwanda; universities in the U.S. and Djibouti; a Taiwanese semiconductor company; two Taiwanese aerospace companies; two Taiwanese think tanks focused on economic policy; and multinational logistics companies and airlines.
Microsoft said in August 2023 that the threat group, which it tracks as Flax Typhoon, exploited vulnerabilities in public-facing servers to infiltrate networks and deployed a VPN connection to network infrastructure controlled by threat actors to collect credentials from compromised systems. That campaign also predominantly targeted Taiwanese organizations (see: Chinese State Hackers 'Flax Typhoon' Targeting Taiwan).
Microsoft said Flax Typhoon used the open-source client and server VPN software SoftEther to generate multiple TLS certificates to communicate with targeted networks. Insikt Group researchers found that the group continued to use these certificates between November and April to communicate with victim networks and used its IP addresses as SoftEther VPN nodes for reconnaissance and attempted exploitation.
RedJuliett operators specifically looked for vulnerabilities in network edge devices such as firewalls, virtual private networks and load balancers and exploited them to obtain initial access. The researchers said these internet-facing devices have limited visibility, logging capabilities and security solutions available that make them prime targets for hacking.
The group also hunted for vulnerabilities in installed web applications. It used Acunetix Web Application Security Scanners to identify vulnerable applications and attempted SQL injection and directory traversal exploits against web and SQL applications. After obtaining initial access, RedJuliett used open-source tools such as devilzShell and AntSword for post-exploitation activity and exploited a known Linux vulnerability - CVE-2016-5195 - to gain privileged access to networks.
The researchers said the group's activities are consistent with China's objective to gain intelligence on Taiwan's economic policy, trade and diplomatic relations, and RedJuliett will likely continue to target Taiwanese government and critical technology firms.