Intelligence Report - Across the Strait: Evolving Cyber Threats targeting Taiwan

By: Sean Thorne, Gioia Serena Wang, Lucas Snarski, Fateh Gill, Chris and Vanina Meyer

Summary

Amid Taiwan’s upcoming presidential elections, a team of Intelligence Analysts dived into China’s extensive use of cyberwarfare against Taiwan. Since Tsai Ing-wen's 2016 election, Taiwan has been subjected to large-scale cyberattacks and disinformation campaigns, often reflecting wider geopolitical tensions in the region. These attacks are not limited to government infrastructure, but also affect private businesses and communication systems, revealing a multifaceted strategy to exert influence, gather intelligence, and possibly destabilise the region.

Latest developments

Taiwan is reported as being the largest cyberattack target in the Asia-Pacific region, with the Taiwanese government reportedly being subject to over 5,000,000 attacks annually, and the private sector over 100,000. Since 2017, cyberattacks from China have shifted from only targeting government institutions to also targeting private companies and infrastructure. The frequency of such attacks appears correlated to political happenings on the island.

According to Crowdstrike, the Mainland Chinese government has been leveraging domestic talent to identify and utilise cyber exploits against Taiwan. Exploits unveiled through the Tianfu Cup, an annual hacking competition hosted in Chengdu, have been identified in use against Taiwanese targets. This has resulted in a broader spectrum of attack techniques being utilised by Chinese actors, shifting from predominantly impersonating system administrators through ‘ProxyLogon’ in early 2021, to exploiting FatPipe MPVPN device vulnerabilities and Microsoft Exchange zero-day weaknesses to upload malicious webshells, ultimately granting bad-actor access.

Major cyberattacks against Taiwan have taken place during times of heightened political tension with Beijing – most notably following Tsai Ing-wen’s election in 2016, her inauguration in 2020, and Nancy Pelosi’s visit to Taiwan in 2022. These attacks have included hacking government websites and publicly-visible displays in order to broadcast anti-US and anti-DPP sentiment. Whilst seemingly timed alongside political developments, contemporary Chinese cyberattacks are increasingly targeting both private industries and critical infrastructure. Energy giant CPC Corporation suffered a ransomware attack in 2021, identified as originating from China by the FBI. Chinese APT group Chimera have also been identified as launching cyber-offensive operations against Taiwan’s semiconductor industry, and Antlion against Taiwanese financial institutions.

Taiwan has sought to bolster its cybersecurity capabilities in both public and private sectors through policy making initiatives – mostly through the National Information & Communication Security Taskforce (NICST). The initiative’s ‘fifth phase’ of expansion in 2017 elevated cybersecurity to being a matter of national security. This has resulted in government entities taking measures to combat cyber threats, such as routinely simulating cyberattacks, improving domestic firewalls and securing data.

Beyond domestic legislation, Taiwan has increased its cooperation with allied states to bolster its cyber defences and capabilities, most notably with the United States through the Global Cooperation and Training Framework (GCTF). Cybersecurity-related ties between Washington and Taipei have the potential to deepen as the Taiwan Cybersecurity Resiliency Act of 2023 progresses through the United States senate.

China’s Active Defence Strategies and Operations 

China’s cyberwarfare has been increasingly integrated into the People’s Liberation Army (PLA) doctrine recognising cyberwarfare capacities as an integral component of the PRC’s active defence strategy. 

The PLA articulates its intentions regarding the development of cyberwarfare capacities in its 2015 White Paper, China's Military Strategy. It focuses on the “informatization” of war, the cyberspace becoming a “new pillar of economic and social development, and a new domain of national security” and thus involved changes in military preparations with “information dominance”. Specifically, China’s goal moved towards “winning informationized local wars” with the  “development of a cyber force, and enhanc[ing] its capabilities of cyberspace situation awareness, cyber defence, support for the country’s endeavours in cyberspace and participation in international cyber cooperation.” Moreover, the white paper stresses pressing national security threats, such as in the maritime field. “Maritime military struggle” can be understood in China’s overseas interests as energy and sea lines of communication which “become prominent”.

Cyberspace became a “Major Security Field” in the 2019 white paper, China’s National Defense in the New Era, equivalent in strategic importance to conventional and nuclear defence. The 2020 publication The Science of Military Strategy outlines the “Construction and Development of Cyberspace Forces”, articulating the necessity of its continued and rapid development into a weaponised, deployable, and integrated force with manpower spanning civilian and military personnel.

Reflecting China’s growing doctrinal appreciation of cyber capacities, Mandiant has identified currently 29 Advanced Persistent Threat (APT) actors with suspected Chinese origins while MITRE has identified 18. These actors vary in the degree to which they have been investigated and the degree to which they are connected to the state apparatus -  either falling under the direct control of the Chinese government, acting as state-sponsored but unofficial groups, or standalone actors. The groups are alleged to conduct industrial, political, and military espionage via backdoor infiltration, phishing, denial of service (DDoS), ransomware, and malware attacks.

A well-known military actor is PLA Unit 61398 (61398部队) or APT1, tasked with computer network operations (CNO) and “focusing on political, economic and military-related intelligence” according to the Project 2049 Institute. The unit operates command-and-control (C2) servers with active listening or communication programs, of which six are based in Taiwan. Additional units alleged to fall under the PLA ORBAT include Unit 61486 (also known as APT2 or Putter Panda), an organisation first uncovered by a CrowdStrike investigation in 2014, as well as Unit 78020, also known as Naikon.

Moreover, there are a minimum of six additional China-based cyber groups with credible assertions linking them to operations in Taiwan:

• Most recently, Flax Typhoon was accused by Microsoft in August 2023 of launching persistence, lateral movement, and credential access operations against Taiwanese networks. 

• Intelligence analysis by Taiwanese firm TeamT5 has alleged groups called BlackTech, APT41, and APT23 were responsible for backdoor infiltrations across Taiwanese media stakeholders leading up to and following  U.S. House Speaker Nancy Pelosi’s 2022 visit to the country. 

• APT41 has been further accused by the U.S. Department of Justice of conducting racketeering and phishing operations between December 2014 and July 2018 on individuals and organisations across 14 jurisdictions, including Taiwan, through a PRC-registered company called Chengdu 404 Network Technology. This is corroborated by Mandiant investigative reporting, and in 2020, the United States indicted five Chinese nationals accused of being behind the attacks. 

• APT23 or Tropic Trooper has also been active since 2012 and is alleged to have used stolen credentials to infiltrate Taiwanese and Philippine military infrastructure to conduct data theft and espionage. 

• APT16, first reported by FireEye, conducted a spearphishing campaign throughout late 2015 targeting Taiwanese media and approximately 50 Democratic People’s Party (DPP) staff preceding the 2016 election of President Tsai Ing-wen. 

• APT24 or Pitty Tiger has been active since at least 2012 and has targeted Taiwanese defence and telecommunication infrastructure with malware attacks.

It is key to note that this is not an exhaustive list of all the PRC-linked organisations that target Taiwan, but rather examples where a particular state-sponsored group can be linked to a specific attack or infiltration. With over 15,000 cyberattacks being launched against Taiwan every second in the first half of 2023 alone, the scale of China-linked organisations conducting attacks on the country is likely to be far greater. There are numerous examples of cyber operations that have not been linked to a specific actor, but can nonetheless be credibly asserted to be of Chinese origin.

Parallel to the growth of its cyber operations doctrine, China has further broadened the scope of its capacities to now span 54 separately identified MITRE ATT&CK Framework strategies. China, via its state-sponsored groups, has demonstrated the capacity to conduct operations across 12 different categories of cyber operations. Under each of these are between two and ten narrower cyber operations techniques, which can be further divided into as many as six subtechniques. This reflects a highly capable and versatile cyber operations capacity.

While the groups noted above are unlikely to be the only PRC-sponsored groups targeting Taiwan, credible investigations into their operations combined with evidence of expanding Chinese cyberwarfare capacity reflect the defence policy ambitions noted above. China has seen a large degree of success in the operationalisation of its cyberwarfare ambitions, and is likely to continue to be a persistent threat to Taiwan.

Disinformation Campaigns

Since Tsai’s inauguration in 2016, disinformation operations have been a significant focal point of China's cyberattacks on Taiwan. Estimates by Taiwanese think tanks indicate that China launches 2,400 daily disinformation attacks on popular social media platforms in Taiwan such as YouTube, Line, and PTT. Disinformation operations are a part of the PLA’s novel tactic for psychological warfare in the digital age called “cognitive domain operations” which seek to alter opponents’ cognitive functions such as public opinion and decision-making during kinetic activity. While disinformation attacks on Taiwan have been launched by the Chinese government, the majority appear to be launched by social media users based in China or Malaysia. Given Taiwan’s immensely high internet penetration (92%) and the upcoming 2024 elections, where one-fifth of the voters are not aligned with any party, potentially serving as a determinative bloc, Chinese disinformation operations are a source of high concern for the Taiwanese administration.

Chinese disinformation operations typically employ two main methods. First, fake accounts publish original content on Taiwanese social media platforms like Line, or online discussion boards like PTT. Second, Taiwanese content farms connected to China are used to promote various news stories that negatively portray the DPP government and highlight the attractiveness of pro-unification. These campaigns aim to demoralise the Taiwanese public by depicting the incumbent government as incompetent, the US as untrustworthy, and the island as defenceless against a potential invasion.  The current president, Tsai Ing-wen, has been a major target of Chinese misinformation operations for both electoral and military means. Her depiction as the leader steering Taiwan towards disaster is China’s attempt to prevent her re-election and her becoming a token of resistance similar to Zelensky in Ukraine.

A notable example of a disinformation attack occurred a month after Tsai's re-election in January 2020 when a group of Chinese users launched a petition on the US government petition website, WeThePeople, falsely claiming that the president forged her doctorate degree. The petition also denounced Tsai for undermining Taiwan's democracy, freedom, and the rule of law. It aimed to delegitimise Tsai’s presidency and question her integrity. This disinformation campaign was then heavily promoted by another network of users on Facebook, Instagram, and Twitter. Throughout February and March that year, the petition was mentioned 1,296 times in various Facebook groups and pages. The dissemination of disinformation about Tsai's educational background and the rapid amplification of this message highlight the power and reach of Chinese disinformation campaigns.  

Chinese disinformation attacks around Taiwanese presidential elections are well-documented. However, it is important to note that China's primary targets for its disinformation operations are actually local elections. China exploits the fragmented informational landscape that Taiwanese citizens have to navigate as they elect more than 10,000 local offices every four years, granting them ample space for the dissemination of conspiracy theories to the local people. Although the November 2022 local elections have experienced less Chinese interference than previous elections, disinformation campaigns targeting them will undoubtedly persist as China continues to demonstrate its unwavering commitment to reunification. 

Despite this, Chinese disinformation campaigns have not yet been successful at swaying Taiwanese public opinion. According to an August 2022 survey by Taiwan's Mainland Affairs Council, 84.7% of Taiwanese citizens surveyed opposed one country, two systems. Moreover, the DPP and its candidate William Lai continue to lead in opinion polls. 

Over time, Taiwan has developed a robust anti-disinformation defence system, relying on nonprofit fact-checking organisations as its initial line of defence. Entities like Cofact and Taiwan Factcheck Center work in collaboration with the government to debunk rumours and conspiracy theories before they can spread to popular social media platforms. Taiwan has also increased prosecutions under its existing legislation against disinformation and launched media literacy campaigns where the local population is taught how to recognise false information. 

Cyber Vulnerabilities of Communication Infrastructure

The security of Taiwan’s communications infrastructure is an important aspect of its overall exposure to cyberattacks. Taiwan is largely dependent on submarine fibre-optic cables to connect to the global internet and to maintain contact with the outlying island groups of Penghu, Kinmen, and Matsu. Submarine cables can be interrupted by both kinetic and cyber incidents, compromising the integrity and availability of the data they carry. Recent damage to the cables connecting Taiwan to Matsu, along with changes in the operation of cable landing stations, is bringing greater attention to the system’s vulnerabilities.

In early February 2023, the two cables that link the Matsu Islands to Taiwan were damaged. One cable is believed to have been damaged by a Chinese fishing vessel and the other by the anchor of a Chinese cargo ship. This resulted in the near total loss of internet connectivity for Matsu residents until repairs were completed on one cable in late March. In the interim, a back-up microwave radio system was used, but only provided about 5% of the cables’ normal bandwidth.

This incident, believed to be accidental, highlighted the vulnerability of Taiwan’s submarine cables. The two Matsu cables have been cut 27 times in the past five years, an unusually high number even considering the shallow waters of the Taiwan Strait. Expanded sand dredging by Chinese vessels is expected to increase damage further, as buried cables close to shore are exposed.

Cyberattacks, on the other hand, would likely target cable landing stations (CLS), where submarine cables connect to the terrestrial network. To reduce manpower, these facilities have been turning to remote management systems that run the stations remotely through an internet connection. By connecting to the global internet, this adds vulnerabilities that conventionally staffed stations did not have.

In April 2022, the United States Homeland Security Investigations announced the first publicly-known cyberattack on a CLS remote management system. An undisclosed “international hacking group” breached the servers running the system, seeking full access to data transmissions. While ultimately unsuccessful, the attempt shows that remote management systems can be a new route to compromising submarine cable’s data.

There is evidence that the PLA already has operations involving the submarine cable system. The Unit 61398 operates a work station near the Chongming CLS and likely bases an element near Nanhui CLS, both in Shanghai. A reported 60% of China’s phone and internet traffic enters and exits China just through the cables landing on Chongming Island. At least four of the cables landing there connect directly to Taiwan. Unit 61398 is believed to use this access to data to contribute to the PLA’s political and military operations.

Furthermore, a leaked Chinese database of points-of-interest in Taiwan contained 510 information and communication infrastructure locations, including cable landing stations. The same IP address that contained the database was linked to earlier malicious cyber-incidents targeting the United States, reinforcing the idea that Taiwan’s information infrastructure may be the target of further cyberattacks.

Attacks against Taiwan’s information infrastructure would have knock-on effects to all industries and government functions that rely on the internet. An effort to damage cables, which could be done by either military vessels or merchant marine ships, would drastically impair Taiwan’s military command-and-control, business interactions, and communication with the outside world. Cyberattacks on CLS could compromise the confidentiality, integrity, and availability of data, and be used to push political or military agendas while also increasing business’s operating costs.

Impact & Forecast

Economy

The Chinese cyber-attacks targeting Taiwanese infrastructures on public and private organisations resulted in consequential financial and operational setbacks. From November 2021 to February 2022, Taiwanese financial companies were presumably targeted by Chinese cyberattacks by the group APT10. This attack led to disruptions in investments, loss of brokerage and personal identifiable information (PII) impacting Taiwanese economic growth.    

Among the most heavily targeted sectors by cyber-attacks in Taiwan are manufacturing, IT and logistics. Taiwan is the producer of around 60% of semiconductors in the world and Taiwan Semiconductor Manufacturing Co. (TSMC) alone accounts for more than fifty percent of it, the industry being the "silicon shield" of the region.  The semiconductor industry is therefore a primary target to cyber-attacks. In the first six months of 2023, the daily cyber-attacks targeting Taiwanese businesses increased by 80% compared to the same period in 2022. These attacks, motivated by their lucrative business and ease of execution, disrupt the supply chain resulting in financial losses for manufacturers and constituting a global threat due to the essential role that microchips play in the global economy. 

The frequency and sophistication of cyberattacks directed at the semiconductor industry have increased in tandem with implementation of various cyberwarfare strategies. Leaving the sector vulnerable to cyber-attacks and espionage, disrupting their production and operational systems. Thus deteriorating the global and technological economy and severely disrupting the global supply chain.

Furthermore, the industry organisations susceptible to the cyber assaults have been experiencing detrimental effects on their reputations, impacting stock prices, erosion of consumer confidence, and strained partnerships.

However, to directly respond to the cyber-attacks on the industry infrastructure, significant companies have strengthened their cyber security defences and re-evaluated their globalstrategies, including joint ventures and partnerships where IP infringement is substantial. This further increases operational and training expenses and negatively affects the cyber collaborations in the APAC region.

National Security

The cyber and information domains have become a predominant part of the PLA’s doctrine and actions against Taiwan, posing a national security threat to the island. From cyberattacks on essential sectors, such as the semiconductor, to disinformation campaigns impacting the local population and the disruption of communications, China is actively putting in place its “three warfares”: public opinion warfare, psychological warfare, and legal warfare to expand its influence.

Such tactics, using a range of attacks in the “cyberspace, blockade, and kinetic campaigns could be designed to force Taiwan to capitulate to unification or compel Taiwan’s leadership to the negotiation table on the PRC’s terms” according to the US Department of Defense 2023 Annual Report on Military and Security Developments involving the People’s Republic of China. 

Forecast

With the Taiwanese presidential elections in January 2024, it is reasonable to anticipate that Chinese cyberattacks towards Taiwanese infrastructures will persist, even escalate with increasing disinformation campaigns from state-sponsored cyber groups. Beijing is highly motivated to influence public sentiments and voting trends to favour the mainland and its policies, undermining Taiwanese sovereignty. Furthermore, according toDouble think Labs, it is likely that the Chinese cyber army is well prepared to coordinate social media posts, DDoS attacks and website defacements. Even though Taiwan is trained and equipped to face cyberattacks, a well-planned attack could lead to paralysis of government IT systems, impairing power supplies and turning off major public infrastructures ahead of political events to deface the present government.