Tenfold Spike: Chinese State Cyberattacks on Taiwan’s Energy Sector in 2025
Executive Summary
In 2025, Taiwan experienced a dramatic surge in cyberattacks against its energy sector, with incidents increasing tenfold compared to the previous year, as reported by the country's National Security Bureau. Chinese nation-state groups, such as BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886, orchestrated targeted campaigns that leveraged hardware and software vulnerabilities, DDoS, social engineering, and supply-chain tactics. These attacks predominantly focused on industrial control systems and aimed to implant malware during key software upgrade windows, affecting vital infrastructure in petroleum, electricity, and natural gas domains and raising geopolitical and operational security concerns.
This incident highlights the persistent threat of coordinated nation-state cyber activity against critical infrastructure, especially during politically sensitive periods. The tactics and techniques observed reflect global trends in the exploitation of operational technology and underscore the increasing need for advanced defense and cross-border intelligence sharing.
Why This Matters Now
The tenfold escalation of cyberattacks on Taiwan's energy sector underscores the urgent risk that sophisticated nation-state actors pose to critical infrastructure worldwide. With attackers exploiting operational technology and software supply chains, these incidents reveal growing vulnerabilities that could disrupt not only national security but also the global energy supply chain.
Attack Path Analysis
Attackers initiated the campaign by exploiting unpatched vulnerabilities and weaknesses in network equipment and industrial control systems during scheduled software upgrades. Once inside, they escalated privileges using malware to establish persistence and gain deeper access to critical energy sector environments. Lateral movement ensued as adversaries pivoted between workloads, regions, or segments – often targeting sensitive control systems and material procurement platforms. Command and control was achieved by covertly communicating with external infrastructure, leveraging unfiltered outbound channels. Exfiltration activities included the transfer of operational plans and sensitive data to external destinations. Ultimately, impact was realized through persistent access, potential disruption of critical energy operations, and intelligence gathering aligned to geopolitical events.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited known and zero-day vulnerabilities in ICS devices, network appliances, and leveraged opportunities during legitimate software upgrades to implant malware.
Related CVEs
CVE-2022-41328
CVSS 7.5Path traversal vulnerability in FortiOS allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP requests.
Affected Products:
Fortinet FortiOS – 7.0.0 to 7.0.6, 7.2.0 to 7.2.1
Exploit Status:
exploited in the wildCVE-2023-34048
CVSS 9.8An out-of-bounds write vulnerability in VMware vCenter Server allows a malicious actor with network access to execute arbitrary code.
Affected Products:
VMware vCenter Server – 7.0.0 to 7.0.3
Exploit Status:
exploited in the wildCVE-2023-20867
CVSS 7A privilege escalation vulnerability in VMware ESXi allows a local attacker to gain root privileges.
Affected Products:
VMware ESXi – 6.7.0 to 6.7.0 U3, 7.0.0 to 7.0.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Client Execution
Access Token Manipulation
Valid Accounts
Phishing
Supply Chain Compromise
Endpoint Denial of Service
Command and Scripting Interpreter
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Article 21
CISA Zero Trust Maturity Model 2.0 – Asset Management and Vulnerability Management
Control ID: Asset
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Access Privileges
Control ID: Section 500.03, Section 500.07
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 8
PCI DSS v4.0 – Timely Security Updates
Control ID: Requirement 6.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Primary target of China's nation-state espionage with 1000% attack increase targeting industrial control systems, malware injection during upgrades, and operational planning theft.
Utilities
Critical infrastructure vulnerability to Chinese APT groups exploiting hardware/software flaws, targeting petroleum, electricity, natural gas sectors with persistent network access and monitoring capabilities.
Government Administration
Coordinated Chinese cyber operations targeting agencies through phishing, data theft attacks timed with political events, requiring enhanced zero trust segmentation and threat detection.
Telecommunications
Communications sector experiencing adversary-in-the-middle attacks and persistent network access exploitation, necessitating encrypted traffic protection and east-west traffic security measures.
Sources
- Taiwan says China's attacks on its energy sector increased tenfoldhttps://www.bleepingcomputer.com/news/security/taiwan-says-chinas-attacks-on-its-energy-sector-increased-tenfold/Verified
- China launched 2.63 million daily cyberattacks against Taiwan in 2025: NSBhttps://focustaiwan.tw/cross-strait/202601040009Verified
- Chinese cyberattacks rising: NSB reporthttps://www.taipeitimes.com/News/front/archives/2026/01/05/2003850052Verified
- APT and financial attacks on industrial organizations in Q2 2024https://ics-cert.kaspersky.com/publications/reports/2024/10/03/apt-and-financial-attacks-on-industrial-organizations-in-q2-2024/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west traffic controls, inline threat detection, egress policy enforcement, and encryption of internal and hybrid network flows would have substantially constrained and detected the adversary throughout the attack lifecycle. These CNSF-aligned capabilities deny lateral movement, limit exfiltration risk, and enable rapid detection of exploitation or C2 activity within critical infrastructure.
Control: Inline IPS (Suricata)
Mitigation: Exploitation attempts on known vulnerabilities would be blocked or immediately alerted.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous privilege escalation activity is rapidly detected for response.
Control: Zero Trust Segmentation
Mitigation: Lateral movement is denied via identity-based network segmentation.
Control: Cloud Firewall (ACF)
Mitigation: Outbound C2 traffic is detected and stopped at cloud perimeter.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data transfer is detected and prevented.
High-fidelity, centralized monitoring rapidly exposes and enables remediation of attacks.
Impact at a Glance
Affected Business Functions
- Energy Production
- Power Distribution
- Hospital Operations
- Emergency Services
Estimated downtime: 3 days
Estimated loss: $5,000,000
Potential exposure of sensitive operational data from energy and healthcare sectors, including patient records and infrastructure schematics.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy inline IPS and real-time threat detection to block exploitation of known vulnerabilities across converged IT/OT environments.
- • Enforce Zero Trust Segmentation and least-privilege networking to contain lateral movement among workloads, users, and network segments.
- • Institute stringent egress policy enforcement and encrypted traffic inspection to prevent C2 and data exfiltration attempts.
- • Leverage centralized, multicloud visibility and anomaly detection to streamline detection and response across all cloud and hybrid domains.
- • Integrate workload, Kubernetes, and cloud firewall controls to secure all east-west, north-south, and hybrid flows using policy-driven, identity-based frameworks.
