China ups the ante on Taiwan, cyberattacks see massive uptick, claims cybersecurity research firm

A suspected Chinese state-sponsored hacking group, known as RedJuliett, has significantly increased its cyberattacks on Taiwanese organizations, particularly those in government, education, technology, and diplomacy, according to a report by cybersecurity intelligence company Recorded Future.

Relations between China and Taiwan, a self-governing island that Beijing claims as its territory, have worsened in recent years. These tensions have escalated into the cyber realm, with RedJuliett’s attacks observed between November 2023 and April 2024, coinciding with Taiwan’s presidential elections in January and the subsequent change in administration.

Uptick in cyberattacks
RedJuliett has targeted organizations in Taiwan as well. However, the recent surge is the first time such activity has been observed at this scale.

A Recorded Future analyst, speaking anonymously due to safety concerns, reported that the group targeted 24 organizations. These included government agencies in Taiwan, as well as in countries like Laos, Kenya, and Rwanda.

In addition, RedJuliett hacked into the websites of religious organizations in Hong Kong and South Korea, a US university, and a university in Djibouti. Although the specific organizations were not named, the report highlighted the group’s use of vulnerabilities in the SoftEther enterprise virtual private network (VPN) software to access servers.

RedJuliett attempted to breach the systems of over 70 Taiwanese organizations, including three universities, an optoelectronics company, and a facial recognition company with government contracts. Recorded Future observed these attempts to identify network vulnerabilities but did not confirm whether the breaches were successful.

The hacking patterns of RedJuliett align with those of Chinese state-sponsored groups. Based on IP geolocations, Recorded Future believes the group operates out of Fuzhou in China’s southern Fujian province, which is geographically close to Taiwan. “Given the close geographical proximity between Fuzhou and Taiwan, Chinese intelligence services operating in Fuzhou are likely tasked with intelligence collection against Taiwanese targets,” the report stated.

Surveillance through attacks
The attacks are likely aimed at collecting intelligence to support Beijing’s policy-making on cross-strait relations. “RedJuliett is likely targeting Taiwan to collect intelligence and support Beijing’s policy-making on cross-strait relations,” the report concluded.

Taiwan’s Ministry of Foreign Affairs has not yet commented on the report. In contrast, a Chinese Foreign Ministry spokesperson dismissed the allegations, accusing Recorded Future of fabricating disinformation about Chinese hacking operations. “There is absolutely no professionalism or credibility to speak of in what the company does,” spokesperson Mao Ning said.

Microsoft reported in August 2022 that RedJuliett, which it tracks under the name Flax Typhoon, was targeting Taiwanese organizations. China’s increased cyber activities complement its military drills around Taiwan and its economic and diplomatic pressure on the island.

The situation further deteriorated after the election of Taiwan’s new president, Lai Ching-te, in January. Beijing labelled Lai a “separatist” following his inauguration speech, where he asserted that Taiwan and China are not subordinate to each other. Like his predecessor Tsai Ing-wen, Lai maintains that there is no need to declare Taiwanese independence as it is already a sovereign state.

Global Cyberespionage and Defensive Measures
China, like many other nations, has been known to engage in cyber espionage. Earlier this year, the US and Britain accused China of a widespread cyberespionage campaign affecting millions. Beijing consistently denies these allegations, claiming instead that China is a major target of cyberattacks.

Chinese state-sponsored groups will only continue to grow, especially the ones that target Taiwanese government agencies, believes Recorded Future.

Even universities, and private companies that work on critical technology will face an increasing number attacks through “public-facing” devices like open-source VPN software