An increasingly sophisticated and relentless digital onslaught against Taiwan is no longer a matter of random cybercrime but a highly coordinated campaign that security experts believe serves as a prelude to potential military action. This systematic effort, orchestrated by state-sponsored actors, has shifted from broad, disruptive attacks to a more insidious strategy of infiltrating and mapping the island’s most essential services. This calculated approach is now widely interpreted as a form of hybrid warfare, meticulously designed to test defenses, destabilize society in peacetime, and create the conditions for a swift paralysis of Taiwan’s societal functions should a conflict ever erupt. The sheer volume and precision of these operations signal a deliberate and ominous preparation of a digital battlefield, raising urgent questions about the nature of modern warfare and the vulnerability of critical national infrastructure in an interconnected world.
A Strategic Shift from Volume to Precision
The raw data paints a picture of a nation under constant digital siege, with Taiwan’s National Security Bureau (NSB) reporting a staggering average of 2.63 million cyberattacks per day in 2025. This figure represents a notable 6% increase from the 2.46 million daily incidents recorded just the year before, highlighting a clear upward trend in hostile activity. However, the most concerning development is not the volume but the strategic targeting of these attacks. The NSB report revealed a tenfold surge in cyber intrusions aimed at Taiwan’s energy infrastructure, while its emergency rescue and hospital systems endured a 54% spike. This laser-focused approach strongly suggests a deliberate campaign by China to comprehensively compromise the island’s critical infrastructure. Security analysts view this as a core component of its hybrid threat doctrine, aiming to create widespread disruption and erode public confidence by targeting the very systems that underpin daily life and national resilience.
This evolution from indiscriminate attacks to a methodical strategy of “pre-positioning” digital assets within Taiwan’s core systems marks a grave new phase in the conflict. Collin Hogue-Spears, a security expert with Black Duck, contends that this is not merely a “cyber campaign” but more accurately described as a “siege rehearsal.” He likens the intense focus on the power grid and medical facilities to an artillery commander methodically identifying primary targets to be neutralized in the opening salvos of a military engagement. This perspective posits that Beijing is actively preparing the cyber domain for a potential kinetic conflict. Bill Moore, CEO of Xona, reinforces this view, noting that a pivotal shift occurred in 2023 when Chinese actors moved beyond common attacks to actively pre-compromising infrastructure. Moore warns that when a nation-state achieves persistent access, it is not just for observation but for positioning assets for future disruption, turning a simple breach into a potential operational crisis.
Synchronizing Cyber and Military Operations
The hybrid nature of China’s strategy is thrown into sharp relief by the clear and consistent correlation between its cyber operations and its real-world political and military maneuvers. The NSB report confirmed that the intensity of cyberattacks frequently peaked around significant political events, such as the one-year anniversary of the current president’s inauguration, demonstrating an intent to exert pressure during moments of national significance. This digital coercion is not conducted in a vacuum; it is often synchronized with the movements of the People’s Liberation Army (PLA). In a striking example of this coordination, nearly two dozen of the 40 joint combat readiness patrols (JCRPs) conducted by the PLA around Taiwan were accompanied by a substantial escalation in cyberattacks launched by Chinese operatives against Taiwanese targets. This tight coupling of digital and physical actions provides a cohesive narrative of a multi-domain pressure campaign designed to intimidate and destabilize.
This integrated approach aims to create a constant state of alert and fatigue within Taiwan’s defense establishment, blurring the lines between peace and conflict. By synchronizing digital assaults with military drills, Beijing can test Taiwan’s response capabilities across multiple fronts simultaneously, gathering valuable intelligence on its command-and-control structures, reaction times, and defensive protocols. Each coordinated event serves as a stress test, revealing weaknesses that can be exploited in a future scenario. This strategy allows China to maintain a persistent, low-level pressure that stops short of open warfare but continuously erodes Taiwan’s security posture. The ultimate goal of this multi-domain campaign is to create an environment of uncertainty and vulnerability, shaping the strategic landscape in Beijing’s favor long before any physical confrontation might begin.
The Cyber Arsenal and its Malicious Actors
A detailed breakdown of the attack vectors employed reveals a sophisticated and multi-pronged methodology. According to the NSB’s findings, the majority of intrusions, a full 57%, successfully exploited known and unknown vulnerabilities in hardware and software. The remaining attacks were strategically divided among denial-of-service campaigns (21%), which aim to overwhelm and shut down online services, and social-engineering attempts (18%), which manipulate individuals into divulging sensitive information. A smaller but significant portion of attacks (4%) involved complex supply-chain compromises, targeting third-party vendors to gain backdoor access to primary targets. The report also identified five primary Chinese state-sponsored cyberthreat groups responsible for orchestrating these operations: BlackTech, which focuses on government agencies and communications; Flax Typhoon, which appears to be the main group targeting hospitals; and Mustang Panda and APT41, both of which concentrate their efforts on Taiwan’s vital energy infrastructure.
These state-backed groups utilize advanced tactics to achieve deep and persistent infiltration. The NSB provided a specific example, stating that “China’s cyber army intensively probes into the network equipment and industrial control systems of Taiwan’s public-owned and private energy companies.” This involves more than just superficial scans; it is a methodical effort to map out entire networks and identify critical control points. These groups are also adept at exploiting routine operational procedures, such as scheduled software upgrades, to implant stealthy malware. Once embedded, this malicious code allows them to covertly monitor a wide range of sensitive activities, including operational planning, material procurement processes, and the establishment of backup and redundancy systems within the energy sector. This level of access provides them with a comprehensive understanding of the sector’s capabilities and vulnerabilities, essentially handing them the keys to disrupt power generation and distribution at a time of their choosing.
A New Paradigm for National Defense
The defensive efforts undertaken by Taiwan, while robust, faced significant challenges that highlighted the limitations of conventional cybersecurity postures. Official statistics, as noted by Charles Li of the cyber threat intelligence firm TeamT5, primarily reflected attacks that were successfully detected and blocked at network gateways. He cautioned that more sophisticated intrusions, particularly those leveraging zero-day exploits or intricate supply-chain compromises, were specifically designed to bypass these initial layers of defense. His firm’s independent observations confirmed this chilling reality, having documented multiple cases where advanced persistent threat actors had successfully breached Taiwanese critical infrastructure entities. This evidence suggested that the official figures, while alarming, likely underestimated the true extent of the infiltration, as an unknown number of adversaries may have already established a persistent presence deep within critical networks.
This evolving threat landscape necessitates a fundamental shift in defensive thinking and underscores the urgent need for enhanced international cooperation. Li emphasized that Taiwan was not an isolated target; China was actively conducting similar pre-positioning campaigns against critical infrastructure on a global scale. This reality called for the formation of a proactive alliance of democratic nations dedicated to the collaborative sharing of cyber threat intelligence to effectively counter this widespread menace. Security leaders were urged to move beyond the traditional metric of measuring success by the volume of blocked attacks. Instead, the new imperative was to focus on “measuring sector-specific intrusion depth” and to adopt a mindset of active threat hunting. This meant proactively searching for adversaries that may have already penetrated their networks and could be quietly mapping industrial control systems during seemingly routine operations, transforming cybersecurity from a passive defense into an aggressive and forward-looking discipline.
