Chinese Hackers

[kyonides]

Chinese Hackers Intensify Attacks on Taiwan

A cybersecurity team called the Insikt Group published a report on Monday that found Chinese state-sponsored hackers have significantly intensified attacks on Taiwan, seemingly with an eye toward stealing Taiwanese technology and spying on Taiwan’s diplomatic initiatives.

The Insikt Group is the threat research division of Recorded Future, an international cybersecurity firm with both government and corporate clients spread across 75 countries. 

The group’s report focused on “RedJuliett,” a cyber-espionage group believed to be sponsored by the Chinese government. RedJuliett’s activities were detected for the first time in August 2023, when Microsoft discovered a sizable cyber-espionage campaign targeting companies in Taiwan.

Microsoft dubbed the hacking threat “Flax Typhoon,” while cybersecurity firm CrowdStrike detected its activities at roughly the same time and named it “Ethereal Panda.” Insikt Group researchers were confident that all of these designations were names for the same cybersecurity threat actor.

The group pulled off some cyberattacks against other countries, including South Korea and the United States, but about 60 percent of its detected activity has been focused on Taiwan. RedJuliett’s activity has been traced back to the Chinese city of Fuzhou, which is close to Taiwan and hosts numerous Chinese intelligence operations targeting the island.

“While RedJuliett’s potential affiliation with either China’s Ministry of State Security MSS or People’s Liberation Army PLA is currently unknown, an operating location within Fuzhou is consistent with the group’s persistent focus on Taiwan,” the report said.

The Insikt Group found RedJuliett’s espionage activities against Taiwan between November 2023 and April 2024, hitting “over 70 academic, government, think tank, and technology organizations in Taiwan, as well as multiple de facto embassies operating on the island.”

Taiwan often lacks official embassies from other countries due to China’s political pressure. The de facto American embassy, for example, is an organization called the American Institute in Taiwan (AIT).

The cybersecurity report said:

Within Taiwan, we observed RedJuliett heavily target the technology industry, including organizations in critical technology fields. RedJuliett conducted vulnerability scanning or attempted exploitation against a semiconductor company and two Taiwanese aerospace companies that have contracts with the Taiwanese military.

Taiwan’s presidential election season began around the same time as RedJuliett’s increased activity, culminating in the election of William Lai Ching-te as the successor to President Tsai Ing-wen in January 2024. Lai was inaugurated in May 2024. He belongs to the same Democratic Progressive Party (DPP) as Tsai, so his victory marked the first time in the history of Taiwan’s democracy that the same party held the presidency for three consecutive terms.

The communist Chinese government hates both Tsai and Lai, dubbing them “separatists” and “insurrectionists.” Beijing deployed what Lai denounced as an “unprecedented” level of election interference to intimidate Taiwanese out of voting for him.

“In addition to political and military pressure, it is also using economic means, cognitive warfare, disinformation, threats and incentives. It has resorted to all means to interfere with this election,” Lai said in January.

The Insikt Group said it could not determine how successful RedJuliett’s cyberattacks were, as it could observe the attempts from outside of targeted networks but could not see the results.

RedJuliett had an arsenal of sophisticated hacking tools at its disposal, including code that exploited vulnerabilities in networks, web servers, and security software. The group employed “living off the land” (LotL) techniques, a disturbing new trend in cyber espionage in which hackers penetrate a system, hide their malicious code among the many legitimate programs running on a large network, and remain dormant for long periods.

LotL tactics are alarming to cybersecurity researchers because they suggest the hackers are lying in wait for some anticipated signal — like a declaration of war by the country that sponsors them — rather than causing damage or stealing data immediately.

Of course, the CCP strongly denied any involvement in the cyberattacks.