Part 3 of a 5 part series
Part 1: So What is the Cyber Threat from China, Exactly?
Part 2: The Chinese Cyber Threat to the United States of America
Written by Lulia Liu Pan and Matthew Willis
Taiwan has been a primary target of a wide range of Chinese Communist Party (CCP) cyber operations in the past twenty years. These operations have ranged from harassment or denial of service campaigns in response to political events to long-term espionage operations against private companies. In the past decade the CCP shifted its targets from exclusively government-focused, to a mix of private and public targets. A dramatic increase in the volume of incidents has accompanied this shift which followed the candidacy and election of the Democratic Progressive Party (DPP) in 2016. Furthermore, there is a heightened correlation between political events in Taiwan and retaliatory cyber incidents initiated by the CCP.
Chinese cyber-attacks have escalated dramatically over the past decade. According to a Japanese-funded Defense Research Institute report, China launched 1.4 billion cyberattacks against Taiwan from September 2019 to August 2020. The attacks primarily aimed to spread disinformation in Taiwan, with its authors assessing China’s cognitive warfare against Taiwan to be a “great threat”.[i] More specifically, Chien Hung-wei, Taiwan’s cyber security department director, estimated that there are around 5 million cyber-attacks and probes daily – half of them from China.[ii] This increase in cyberattacks closely mirrors the deterioration in relations between Taipei and Beijing.
Moreover, the severity and objectives of CCP cyber operations have varied since 2000. For example, in 2001, there was a hack of the Democratic Progressive Party (DPP) due to a meeting between their high-level officials and the Dalai Lama. Nearly two decades later, Chinese Petroleum Corporation and Formosa Petrochemical Corporation – two of the largest state-owned energy companies – received malware from various cyber organizations. In the former, the CCP targeted a political party for political reasons, while in the latter case, the CCP targeted major infrastructure to disrupt critical industries.
In the prior two situations, the CCP’s goal was disruption – taking down websites, disrupting online activities, and causing political annoyance. However, the severity of the attacks was limited. Short disruptions affected government networks, but they quickly recovered. On the contrary, there have been notable examples of broader objectives of intelligence gathering and higher severity. China employed two APT’s efforts to target government infrastructure more widely and collect more sensitive information for immediate use. For example, from 2007 to 2009, Shady RAT_B launched a series of data theft campaigns targeting the Taiwanese government along with several corporations.[iii] Likewise, within a similar timeframe, GhostNet_B breached numerous agencies to collect state secret information.[iv]
While government departments are the most common focus for Chinese cyber operations, there have also been noticeable infiltrations by CCP affiliated cyber groups into private companies. For example, APT Antlion deployed a backdoor called xPack on compromised systems in major Taiwanese financial institutions until August 2021 for at least 18 months. This network infiltration allowed them to exfiltrate data from the company’s systems, such as business contacts and investment details.[v] Similarly, APT 27 has been reported to have engaged in more financially motivated cybercrime from 2021 onwards, even hacking major gaming companies worldwide.[vi] However, even though these efforts were successful, it is not immediately clear whether someone intended them as long-term or short-term espionage.
These incidents highlight an important trend: a shift from focusing on almost exclusively government targets to a mix of public and private ones. This change manifests in the DCID data set from 2015 onwards.[vii] A likely reason for this would be the candidacy and subsequent presidency of Tsai Ing-Wen. Through successful targeting of private entities along with public ones, it potentially undermines the administration’s security credibility and their support within the private sector.
Lastly, cyber-attacks have become more overtly retaliatory concerning developments within Taiwan. For example, when Nancy Pelosi visited last year, APT 27 targeted many highly visible targets such as local 7/11s, railway and mass transit stations, cafeterias, sporting events, and banking infrastructure.[viii] According to reports, attackers paralyzed the Taiwan Defense Department’s official website, and launched a surge of attacks on the country’s general digital infrastructure.[ix] Similarly, the attacks on the two state-owned petroleum companies coincided with the inauguration of President Tsai-Ing Wen. This widening scope and punishment for specific political actions has caught the attention of senior U.S. officials, such as Secretary of State Blinken who expressed concern over Beijing’s use of “criminal contract hackers” to express their political objections.[x]
[i] Lin, Tsuei-yi, and Hetherington William. “China Intensifying Cyberattacks against Taiwan: Report.” Taipei Times. 台北時報, November 28, 2022. taipeitimes.com/News/front/archives/2022/11/29/2003789784.
[ii] “Taiwan Government Faces 5 Million Cyber Attacks Daily: Official.” France 24. France 24, November 10, 2021. france24.com/en/live-news/20211110-taiwan-government-faces-5-million-cyber-attacks-daily-official.
[iii] Alperovitch, Dmitri. “Revealed: Operation Shady RAT.” McAfee, 2022. mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf.
[iv] Information Warfare Monitor. “Tracking GhostNet: Investigating a Cyber Espionage Network.” Information Warfare Monitor. 2009.
[v] Symantec Enterprise. “Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan.” February 22, 2022. symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks.
[vi] O’Donnell, Lindsey. “Major Gaming Companies Hit with Ransomware Linked to APT27 | ThreatPost.” January 5, 2021. Accessed March 2023. threatpost.com/ransomware-major-gaming-companies-apt27/162735/.
[vii] Valeriano, Brandon. “Dyadic Cyber Incident Dataset v 2.0.” Harvard Dataverse, 2022. doi.org/10.7910/DVN/CQOMYV.
[viii] Hammond, Stefan. “Hacking 7-11 in Taiwan.” CDOTrends, 2022. https://www.cdotrends.com/story/16650/hacking-7-11-taiwan.
[ix] “APT 27 ‘Honker Organization’: They Have ‘Entered Taiwan’!Oh, and …” iMedia. iMedia, 2023. min.news/en/taiwan/a25265b13c3fbddb1c74ffd530d9643d.html.
[x] Holland, Steve, and Doina Chiacu. “U.S. and Allies Accuse China of Global Hacking Spree.” Nasdaq, July 20, 2021. nasdaq.com/articles/u.s.-and-allies-accuse-china-of-global-hacking-spree-2021-07-20.