Chinese cyberattacks on Taiwan’s critical infrastructure — including energy utilities and hospitals — rose 6% in 2025, averaging 2.63 million attacks a day.
China’s cyber-threat groups continue to ramp up their attacks on Taiwan, boosting cyber activity against the self-ruled island’s critical infrastructure and seemingly conducting cyber operations during the majority of its joint military exercises targeting Taiwan.
As a result, Taiwan experienced an average of 2.63 million attacks every day in 2025, a 6% increase over the 2.46 million daily attack average targeting critical infrastructure the previous year, the National Security Bureau stated in a report published last week. Energy infrastructure suffered a 10-times increase in cyberattacks, while emergency rescue and hospital systems saw a 54% increase, the two largest increases in 2025.
The increasing attacks suggest “a deliberate attempt by China to compromise Taiwan’s CI comprehensively and to disrupt or paralyze Taiwanese government and social functions,” the NSB stated. “China’s moves align with its strategic need to employ hybrid threats against Taiwan during both peacetime and wartime.”
The report comes as the relationship between China and Taiwan suffered setbacks in the past year. China considers the island — a former Japanese colony that became independent when the Nationalist Party retreated to the island following its defeat in a civil war against the Chinese Communist Party in 1949 — as part of its territory. The island democracy, however, continues to resist political efforts to absorb it into the mainland. In December, the US committed to an $11 billion arms sale to Taiwan, and Japan’s recently elected prime minister caused a kerfuffle by stating that if China attacked Taiwan, it would threaten Japan’s survival and allow the country to exercise its right of self defense.
Attacks targeting Taiwan’s critical infrastructure — and identified as coming from Chinese cyberthreat groups — peaked around two major political events. Source: ROC National Security Bureau
In the past year, cyberattacks have both coincided with political events — such as the one-year anniversary of the current president’s inauguration — and correlated to some degree with the 40 joint combat readiness patrols (JCRP) conducted around Taiwan’s territory by the People’s Liberation Army. In nearly two dozen JCRPs, China’s cyber operatives ramped up attacks against Taiwanese targets, the NSB stated in its report.
‘Siege Rehearsal’
While the slight increase in daily attacks may not seem like an escalation, the fact that energy infrastructure and emergency services are increasingly targeted means that China is being more selective, says Collin Hogue-Spears, senior director of solution management at Black Duck, who has significant experience in both mainland China and Taiwan.
“Taiwan is not facing a cyber campaign — it is facing a siege rehearsal,” he says, adding: “What matters is that Beijing now treats Taiwan’s power grid and hospitals the way an artillery commander treats a forward observation post: something to neutralize in the first hour of conflict.”
The NSB statistics are based on attacks detected in the network flows through Taiwanese gateways, so figuring out which attacks are critical and which consist of probes is difficult, says Charles Li, chief analyst at TeamT5, a Taiwan-based cyber threat intelligence company. While most of the attacks detected by the NSB were blocked before reaching critical infrastructure operators, more advanced attacks could bypass those first-layer defenses, he says.
“We also observed multiple cases [where] advanced actors successfully compromised CI entities in Taiwan,” Li says. “These successful attacks usually come with advanced methods, such as zero-day exploitation or supply-chain attacks, that are very hard to defend.”
The NSB classified attacks into four major categories. More than half of attacks (57%) targeted hardware and software vulnerabilities, while only 4% targeted the supply chain. The remaining attacks were distributed nearly equally between denial-of-service attacks (21%) and social-engineering attempts (18%).
Five Cyberthreat Groups
Taiwan’s National Security Bureau identified five Chinese groups as the main adversaries in cyberspace. Nearly all the groups target government administration and agencies, but BlackTech also focuses on communications infrastructure and science parks. Another group, Flax Typhoon, appears to be the main group targeting hospitals, while Mustang Panda and APT41 target energy infrastructure. The last group, UNC3886, also focuses on science parks.
“China’s cyber army intensively probes into the network equipment and industrial control systems of Taiwan’s public-owned and private energy companies, including those in the petroleum, electricity, and natural gas sectors,” the NSB stated. “In addition, when Taiwan’s energy companies carry out software upgrades, Chinese hackers would take the opportunity to implant malware into their systems, so as to keep track of the operational planning of Taiwan’s energy sector concerning operational mechanisms, material procurement, and establishment of backup systems.”
Overall, the threat from China has become more deliberate and more consequential over the years. China and other adversaries have recognized that operational technology is both essential and often under-protected, says Bill Moore, CEO of industrial-control system cybersecurity firm Xona. In 2023, China seemed to shift gears from widespread attacks and banking vulnerabilities to including pre-compromising infrastructure, also known as “pre-positioning.”
“When a nation-state gains persistent access, they’re not just observing; they’re positioning for future disruption,” he says. “What enables both is the same gap, the insecure access pathways that connect user endpoints directly to critical systems. That architecture, where a compromised laptop can reach a control system, is what turns a breach into an operational crisis.”
Taiwanese Defense
While most attacks amounted to disinformation campaigns or espionage that aimed to secretly collect information, the attacks should worry the entire world, says TeamT5’s Li. While Taiwan is China’s main interest, other democracies are being targeted as well, he says.
Taiwan is “not the only victim and they [China] are conducting similar attacks [across] the whole world,” he says. “We truly believe countries that bear similar mindset and democratic systems should ally together to share more cyber threat intelligence so we could stand together to counter such a giant enemy.”
While the NSB’s tracking of the data shows that it has visibility into the network, critical-infrastructure organizations need to look out for specific indicators of compromise (IOCs) and hunt for threats they might have missed, says Black Duck’s Hogue-Spears.
“Security leaders must stop measuring success by volume blocked and start measuring sector-specific intrusion depth,” he says. “If you report only aggregate defense rates, you will miss the adversary already mapping your ICS control systems during software upgrade windows.”