Recorded Future reported that attacks by the group, known as RedJulliett, were observed between November 2023 and April 2024, during the period leading up to Taiwan's presidential elections and the subsequent change of administration.
In recent years, relations between China and Taiwan, an autonomous island across the Taiwan Strait that Beijing claims as its territory, have deteriorated.
RedJuliett has targeted Taiwanese organizations in the past, but this is the first time the activity has been seen on such a scale, said an analyst at Recorded Future, who asked not to be identified for security reasons.
According to the report, RedJuliett attacked 24 organizations, including government agencies in places such as Laos, Kenya and Rwanda, portals of religious organizations in Hong Kong and South Korea, and universities in the United States and Djibouti. The document did not identify the organizations.
Recorded Future said RedJuliett accessed the servers through a vulnerability in the enterprise virtual private network (VPN) program SoftEther, an open source VPN that allows remote connections to an organization's networks.
RedJuliett was observed trying to break into the systems of more than 70 Taiwanese organizations, including three universities, an optoelectronics company, and a facial recognition company that has government contracts.
It was unclear whether RedJuliett was able to break into these organizations. Recorded Future said only that it observed attempts to identify vulnerabilities in the networks.
RedJuliett's way of operating corresponds to that of state-sponsored Chinese groups, according to the cybersecurity company.
Recorded Future stated that, based on the geolocation of IP addresses, RedJulliett is likely headquartered in the city of Fuzhou in southern China's Fujian province, whose coast faces Taiwan.
"Given the geographic proximity between Fuzhou and Taiwan, Chinese intelligence services operating in Fuzhou are likely tasked with gathering intelligence against Taiwanese targets," the report reads.
"It is likely that RedJuliett is targeting Taiwan to gather information and support Beijing's policy regarding relations between the two sides of the Taiwan Strait," says Recorded Future.
Microsoft reported in August that RedJuliett, which Microsoft tracks under the name Flax Typhoon, was targeting organizations in Taiwan.
In recent years, China has intensified military exercises around Taiwan and imposed economic and diplomatic pressure on the island.
Relations between Taiwan and Beijing worsened after the election, in January, of Taiwan's new president, William Lai Ching-te, who China considers a separatist, after having stated in his inauguration speech that Taiwan and the China were not subordinate to each other.
Like predecessor Tsai Ing-wen, Lai stated that there is no need to declare Taiwan's independence because the country is already an independent sovereign state.
Earlier this year, the US and the UK accused China of a vast cyberespionage campaign that allegedly targeted millions of people.
Beijing has consistently denied involvement in any form of state-sponsored hacking, instead asserting that China itself is a major target of cyberattacks.
