Taiwan’s NSB says Chinese cyber attacks on critical infrastructure are up 113% daily since 2023 - Industrial Cyber

Attacks and Vulnerabilities Control device security Critical infrastructure Industrial Cyber Attacks IT/OT Collaboration Malware, Phishing & Ransomware News Reports Risk & Compliance Secure Remote Access Secure-by-Design Supply Chain Security Threat Landscape Taiwan’s NSB says Chinese cyber attacks on critical infrastructure are up 113% daily since 2023 January 06, 2026 New data from Taiwan’s National Security Bureau (NSB) shows that China’s cyber army launched an average of 2.63 million intrusion attempts per day in 2025 against the island’s critical infrastructure across nine key sectors, including government agencies, energy, communications, transportation, emergency services and hospitals, water resources, finance, science and industrial parks, and food installations. The activity represents a 6% increase over 2024, while the average number of daily attacks in 2025 jumped 113% from 2023, with the energy and emergency rescue and hospital sectors seeing the sharpest year-on-year rise in cyberattacks linked to Chinese threat actors. In its report titled ‘Analysis on China’s Cyber Threats to Taiwan’s Critical Infrastructure in 2025,’ the agency disclosed that China’s cyberattacks against Taiwan’s critical infrastructure organizations involve four major tactics, including attacks on hardware and software vulnerabilities, distributed denial-of-service (DDoS) attacks, social engineering attacks, and supply chain attacks. China has flexibly maneuvered these tactics to launch cyberattacks. The report also detailed that China’s cyber activity spans multiple critical sectors, with tactics tailored to each environment and objective. Among China’s cyberattacks against Taiwan, over 50% cases involve attacks on hardware and software vulnerabilities. NSB detailed that China has exploited the four vulnerabilities discovered by Chinese industries, government, and academia to strengthen the technology capacity of vulnerability weaponization.  It has actively leveraged the software and hardware vulnerabilities of information communication technology (ICT) equipment manufactured by international suppliers, or that is involved in government procurement joint supply contracts. Chinese hackers would target ICT equipment of Taiwan’s critical infrastructure with unpatched vulnerabilities to circumvent identity verification and gain administrative access for secret theft. “China’s cyber army exploits a large number of botnets to send high-frequency connection requests simultaneously with an aim to compromise the operation of CI’s external networks,” the NSB reported. “Such a move intends to delay or paralyze CI’s services, and thus impact Taiwanese people’s daily lives.” Also, the agency found that China’s cyber army is sophisticated in posing as business contacts of its targets and sending phishing emails to lure specific targets to click on malicious links and open malicious attached files. “Chinese hackers may also employ the ClickFix technique to fabricate error messages or update requirements. These techniques aim to lure the targets to activate malware, and take the chance to acquire higher system permissions.” Lastly, China’s cyber army also tries to infiltrate the networks of suppliers of Taiwan’s critical infrastructure as well as their cooperative enterprises. Through the approach of conducting identity theft to cover illegal activities, Chinese hackers would seize those targets’ shared systems, system upgrades, and equipment maintenance to implant and spread malware among Taiwan’s critical infrastructure. The NSB identified that China’s cyberattacks have been conducted in conjunction with political and military coercive actions. In 2025, relevant hacking and intrusion operations against Taiwan demonstrated a certain extent of correlation with the joint combat readiness patrols carried out by the People’s Liberation Army.  Additionally, China would ramp up hacking activities during Taiwan’s major ceremonies, the issuance of important government statements, or overseas visits by high-level Taiwanese officials. Notably, the cyberattacks targeting Taiwan peaked in May of 2025, the first anniversary of President Lai Ching-te’s inauguration. “Cyberattacks conducted by China’s cyber army involve four major tactics, namely hardware and software vulnerability exploitation, distributed denial-of-service (DDoS), social engineering, and supply chain attacks,” the agency noted. “In particular, attacks exploiting hardware and software vulnerabilities accounted for more than half of China’s hacking operations, underscoring China’s growing efforts to strengthen the operational capacity of vulnerability weaponization.” The Taiwanese agency mentioned that the top five Chinese hacker groups included BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886, launched cyber operations against Taiwan’s CI, focusing on five primary sectors, including energy, healthcare, communications and transmission, administration and agencies, and technology.  BlackTech targeted administration and government agencies, communications and transmission networks, and science parks. Flax Typhoon focused its activity on emergency rescue services, hospitals, and science parks. Mustang Panda primarily targeted administration and government agencies and the energy sector. Additionally, APT41 conducted operations across a broad range of sectors, including administration and agencies, energy, communications and transmission, emergency rescue services and hospitals, science parks, transportation, and water resources. UNC3886 targeted administration and government agencies, as well as science parks. Interestingly, the hacking methods included intensive probing of network equipment and ICS (industrial control systems) of Taiwan’s energy companies, and malware implantation. Hackers also employed ransomware to compromise the operation of major hospitals and sold data stolen from medical institutions on dark web forums. In 2025, at least 20 cases were identified. The NSB also pointed out that China’s cyber army exploited vulnerabilities in the network equipment of Taiwan’s telecom industry, and hacked into networks of service providers and subcontractors to infiltrate sensitive and backup communication links. “The threat actors also sent highly-tailored social engineering emails to specific agencies of Taiwan’s central government. Moreover, aside from Taiwan’s science parks, the hacking activities were also extended to upstream, midstream, and downstream suppliers in the semiconductor and defense sectors. Those campaigns sought to steal advanced technologies, industrial plans, and decision-making intelligence.” The agency also observed that China conducts cyber operations in conjunction with political and military coercion. “China’s cyberattacks targeting Taiwan exhibit the characteristics of political and military coercion. In 2025, China’s cyberattacks against Taiwan demonstrated a degree of correlation with the joint combat readiness patrols (JCRP) conducted by the People’s Liberation Army (PLA) against Taiwan. The PLA conducted a total of 40 JCRPs against Taiwan in 2025. During which, China’s cyber army simultaneously escalated their cyberattacks against Taiwan for 23 times.” In the energy sector, Chinese threat actors are probing network equipment and industrial control systems across both state-owned and private energy companies, including petroleum, electricity, and natural gas operators. Software upgrade cycles are exploited to implant malware, enabling long-term tracking of operational planning, material procurement, and the development of backup systems, to undermine the sector’s operational resilience. In the healthcare sector, attackers continue to exploit vulnerabilities in hospital websites and internal systems, using ransomware to disrupt operations and steal sensitive patient data and healthcare research. Stolen medical data has been sold on dark web forums at least 20 times in 2025, supporting a mix of objectives that include intelligence collection, financial gain, and public intimidation. Across the communications and transmission sector, Chinese cyber operators are exploiting weaknesses in telecommunications networks to maintain persistent, covert access to the systems of telecom providers and their contractors. Techniques such as man-in-the-middle attacks are used to intercept communications and user data, including sensitive and backup links, posing risks to the security and resilience of both domestic and international telecommunications networks. In government administration and agencies, attacks are closely aligned with current political developments. Threat actors deploy tailored social engineering emails that impersonate legitimate business or policy correspondence related to trade and cross-strait affairs. Malicious attachments are used to implant backdoors for data theft, after which stolen information is repackaged and distributed on dark web forums, with the dual aim of intelligence gathering and eroding public trust in government cybersecurity. In the technology sector, Chinese cyber operations target science parks as well as semiconductor and military industries across the supply chain, from design and manufacturing to packaging and testing. Attackers rely on a combination of supply chain compromises, social engineering, and vulnerability exploitation to steal advanced technologies, industrial plans, and decision-making intelligence, supporting China’s push for technological self-reliance while seeking to offset disadvantages in the US-China technology competition. Throughout 2025, cybersecurity agencies and intelligence services across the Indo-Pacific region, NATO, and the European Union repeatedly identified China as a primary source of global cybersecurity threats. Additionally, China has fully integrated military, intelligence, industrial, and technological capabilities across both public and private sectors to enhance the depth of intrusion and operational stealth of its external cyberattacks through a wide range of cyberattack tactics and techniques.  In response to China’s cyber threats, the NSB will continue to work with the national intelligence community and relevant government agencies through the established joint defense and reporting mechanisms on information security to report and address China’s cyberattacks promptly. The NSB established cybersecurity cooperation with over 30 countries worldwide in 2025. Through information security dialogues and technical conferences, the NSB strives to obtain timely intelligence on attack patterns of China’s cyber army. Furthermore, through networks of international information security cooperation, the NSB conducts joint investigations into malicious relay nodes, thereby supporting government decision-making, response preparedness, and further enhancing the overall resilience and capacity of Taiwan’s critical infrastructure protection.  “The NSB urges all nationals to raise their cybersecurity awareness and remain vigilant against cyber threats posed by China, so that we could jointly safeguard the comprehensive cybersecurity of Taiwan.” Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related Marlink warns surge in satellite spoofing is blinding maritime digital infrastructure, disrupting vessel navigation Stryker rules out ransomware, confirms threat actor used non-propagating malicious file FCC expands Covered List to block high-risk routers and drones, tighten ban on foreign-made connectivity devices Tenable Hexa AI brings agentic automation to exposure management across IT, OT and AI environments NIST expands CSF 2.0 toolkit with quick-start guides aligning cyber risk, risk management, workforce strategy PwC Annual Threat Dynamics 2026 discloses that identity attacks surge as AI reshapes cyber threat landscape Forescout achieves FedRAMP high ATO, strengthens security for converged IT, OT and IoT networks Darktrace introduces Adaptive Human Defense to personalize security training and protection across organizations NetRise Provenance launched to expose open source contributor risk, map impact across software supply chains ISA opens call for ISA113 committee to tackle industrial workflow interoperability challenges across industrial systems