Taiwan’s critical infrastructure faced a surge in cyberattacks from Chinese hackers in 2025, with an estimated 2.63 million intrusion attempts daily across vital sectors. This intensification of digital warfare, documented by Taiwan’s national intelligence community, represents a 6% increase from the previous year, underscoring a growing threat to national security, energy, healthcare, communications, and transportation systems.
The coordinated cyber campaigns appear intricately linked with China’s military exercises and political events. Notably, cyberattacks peaked during significant Taiwanese ceremonies and high-level diplomatic engagements, with May 2025 — coinciding with President Lai’s inauguration anniversary — experiencing record levels of malicious activity. This multifaceted approach suggests a strategic effort to gather intelligence on government decision-making and disrupt Taiwan’s operations through both digital and conventional means.
Chinese Hackers Target Taiwan’s Critical Infrastructure with Sophisticated Attacks
Analysis from the National Security Bureau reveals that energy and healthcare sectors bore the brunt of these attacks. Five prominent Chinese hacker groups—BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886—were identified as leading these coordinated operations. The healthcare sector, in particular, was subjected to ransomware attacks, with at least 20 confirmed incidents resulting in the theft of sensitive medical data, which was subsequently found for sale on dark web forums.
The deliberate targeting of Taiwan’s healthcare infrastructure highlights a concerning trend where adversaries aim to inflict harm on civilian populations and essential services, thereby increasing the psychological and operational impact of their campaigns. This strategy extends beyond mere data theft, aiming to instill fear and undermine public trust in critical institutions.
Vulnerability Exploitation as the Primary Attack Vector
According to NSB researchers, vulnerability exploitation emerged as the predominant method for gaining unauthorized access, accounting for over half of all observed hacking operations. This indicates a strategic pivot towards systematically exploiting unpatched systems and known weaknesses within Taiwan’s digital defenses. Threat actors meticulously conducted reconnaissance on network equipment and industrial control systems, particularly within the energy sector, employing specialized vulnerability scanning tools to identify the most accessible entry points before deploying malicious software.
The technical methodology often involved mapping network topologies using ICMP and TCP scanning, identifying outdated firmware versions, and leveraging publicly known Common Vulnerabilities and Exposures (CVEs) to establish initial footholds. Once inside compromised networks, attackers focused on establishing persistence through the installation of web shells and the harvesting of legitimate user credentials. The telecommunications sector also proved especially susceptible, with attackers managing to penetrate service provider networks and gain access to backup communication links by compromising administrative accounts.
These extensive cyber operations were not confined to Taiwan’s borders. Evidence suggests that campaigns also targeted partners within the semiconductor and defense supply chains, aiming to acquire sensitive design documentation and strategic plans. This broader scope of targeting underscores China’s intent to undermine Taiwan’s technological advantages and industrial capabilities, further escalating the geopolitical implications of these cyber threats.
The increased frequency and sophistication of these attacks underscore the ongoing challenges in maintaining robust cybersecurity for critical infrastructure. As threat actors evolve their tactics, continuous adaptation and investment in advanced defense mechanisms are paramount. Future efforts will likely focus on enhancing real-time threat detection, rapid patching of vulnerabilities, and strengthening international cooperation to counter state-sponsored cyber threats effectively.