Chinese hackers have increased their attacks on Taiwanese organizations, according to cybersecurity firm

A suspected Chinese state-sponsored hacker group has increased its attacks on Taiwanese organizations, particularly in the government, education, technology and diplomatic sectors, cybersecurity intelligence firm Recorded Future said.

In recent years, relations between China and Taiwan, a self-governing island across the Taiwan Strait that Beijing claims as its territory, have deteriorated. The cyberattacks by the group known as RedJulliett were observed between November 2023 and April 2024, in the run-up to Taiwan’s presidential election in January and the subsequent change of government.

RedJuliett has targeted Taiwanese organizations in the past, but this is the first time activity of this magnitude has been observed, said a Recorded Future analyst who asked not to be identified for security reasons.

According to the report, RedJuliett has attacked 24 organizations, including government agencies in countries such as Laos, Kenya and Rwanda, as well as Taiwan.

In addition, the websites of religious organizations in Hong Kong and South Korea, as well as a US and a Djiboutian university, were hacked. The names of the organizations were not mentioned in the report.

According to Recorded Future, RedJuliett accessed the servers at these locations through a vulnerability in SoftEther enterprise virtual private network (VPN) software, an open-source VPN that enables remote connections to an organization’s networks.

RedJuliett has been observed attempting to break into the systems of more than 70 Taiwanese organizations, including three universities, an optoelectronics company and a facial recognition company that has contracts with the government.

It was unclear whether RedJuliett succeeded in penetrating these organizations: Recorded Future said only that it had observed attempts to identify vulnerabilities in their networks.

According to Recorded Future, RedJuliett’s hacking patterns are consistent with those of Chinese state-sponsored groups.

It said that based on the geolocation of the IP addresses, RedJulliett was likely based in the city of Fuzhou in southern China’s Fujian province, whose coast borders Taiwan.

“Given the geographic proximity between Fuzhou and Taiwan, Chinese intelligence agencies operating in Fuzhou are likely tasked with intelligence gathering against Taiwanese targets,” the report said.

“RedJuliett is likely targeting Taiwan to gather intelligence and support Beijing’s policies regarding cross-strait relations,” the Recorded Future report said.

The Taiwanese and Chinese foreign ministries initially did not comment.

Microsoft reported in August last year that RedJuliett, which Microsoft tracks under the name Flax Typhoon, was targeting Taiwanese organizations.

In recent years, China has intensified its military exercises around Taiwan and exerted economic and diplomatic pressure on the island.

Relations between Taiwan and Beijing deteriorated further after Taiwan’s new president, Lai Ching-te, was elected in January. China labelled him a “separatist” after he said in his inaugural speech that Taiwan and China were not subordinate to each other. Like his predecessor Tsai Ing-wen, Lai said there was no need to declare Taiwan’s independence because the country was already an independent, sovereign state.

Like many other countries, including the United States, China is known for cyber espionage. Earlier this year, the United States and Britain accused China of a comprehensive cyber espionage campaign that allegedly affected millions of people.

Beijing has consistently denied involvement in any form of state-sponsored hacking, instead stating that China itself is a major target of cyberattacks.

According to Recorded Future, Chinese state-sponsored groups are likely to continue targeting Taiwanese government agencies, universities and major technology companies through “publicly accessible” devices such as open-source VPN software that offer limited visibility and logging capabilities.

The best way for businesses and organizations to protect themselves is to prioritize vulnerabilities and patch them as soon as they become known, said Recorded Future’s threat analysis analyst.