Taiwan China Cyberattacks on Energy Sector Increased Tenfold

Several popular reports and government disclosures published in early January 2026 have highlighted a sharp escalation in China-linked cyber activity targeting Taiwan’s critical infrastructure, with Taiwan’s National Security Bureau (NSB) stating that attacks against the energy sector increased tenfold in 2025 compared to 2024.

The NSB’s assessment frames the activity as sustained and strategic, not just opportunistic hacking. It describes coordinated intrusion attempts across multiple sectors, spikes aligned with major political moments, and a heavy focus on techniques designed to gain durable access to operational networks rather than simply steal data and disappear.

Taiwan’s National Security Bureau Reports Broad Targeting Across Nine Sectors

Taiwan’s NSB says China’s cyber activity targeted nine major critical infrastructure sectors in 2025: administration and agencies, energy, communications and transmission, transportation, emergency rescue and hospitals, water resources, finance, science parks and industrial parks, and food.

The bureau reports that Taiwan’s national intelligence community identified an average of roughly 2.63 million intrusion attempts per day against these sectors during 2025. That figure represents a 6% increase compared to 2024, signaling that China-linked cyber operations continued to expand in volume while also shifting toward higher-impact targets.

While the report notes that some sectors saw stable activity or reductions, the energy sector stood out as the most dramatic change. The NSB says energy-focused cyberattacks rose by 1,000% year-over-year, making it the largest surge across any category in the dataset.

Energy Sector Attacks Increased 1,000% in 2025

Taiwan’s NSB says the most significant activity was recorded in the energy sector, where intrusion attempts increased tenfold in 2025 compared to the previous year.

The report describes sustained probing of both network equipment and industrial control systems used by Taiwan’s energy companies, including organizations in the petroleum, electricity, and natural gas sectors. This detail matters because it points beyond typical corporate IT targeting and toward operational technology environments that support real-world infrastructure.

According to the NSB, the activity included monitoring for opportunities to implant malware during planned software upgrades. That timing is significant because upgrade windows can create temporary operational gaps where systems are in transition, controls are loosened, or trusted update processes can be abused.

Taiwan says the goal of these intrusions went beyond disruption. The report indicates that attackers sought insight into operational planning, material procurement, and the establishment of backup systems, suggesting an intelligence-gathering posture that could support longer-term strategic objectives.

Cyber Activity Spiked During Political and Military Events

Taiwan’s NSB says cyber operations appeared to correlate with major political events, government announcements, and overseas visits by senior Taiwanese officials. The bureau also notes that cyber activity showed a degree of alignment with People’s Liberation Army joint combat readiness patrols, implying that cyber pressure and military signaling were being executed in parallel.

The report highlights that the peak of cyberattacks against Taiwan occurred in May 2025, which it describes as the first anniversary of President Lai’s inauguration. The NSB’s framing suggests cyber intrusions may be used not only for intelligence gathering but also for coercion, signaling, and pressure during politically sensitive moments.

This pattern is consistent with a broader trend seen across multiple regions where state-linked cyber activity increases during events that raise geopolitical tension or generate attention around sovereignty, alliances, or defense posture.

Four Main Attack Methods Identified

Taiwan’s NSB says four primary tactics stood out in 2025.

The most common method was exploitation of hardware and software vulnerabilities, which the report says accounted for more than half of observed operations. This emphasis suggests a continued push toward vulnerability weaponization, rapid targeting of exposed systems, and sustained scanning for entry points across critical networks.

The NSB also cites:

• Distributed denial-of-service (DDoS) activity aimed at disruption or pressure
• Social engineering campaigns designed to trick specific personnel into giving up access
• Supply chain incidents targeting vendors, subcontractors, and upstream technology providers

These tactics can be used independently, but they are often most effective when combined. For example, social engineering can provide initial access while vulnerability exploitation deepens persistence, and supply chain targeting can provide indirect access into higher-value environments.

Industrial Control Systems and Upgrade Windows Were a Key Focus

One of the most important claims in the NSB assessment is that China-linked operators were not merely scanning energy companies, but “intensively” probing industrial control systems and then watching for malware injection opportunities during software upgrades.

This type of activity can be interpreted as prepositioning. Instead of immediately disrupting systems, attackers may be attempting to establish long-term access that can be activated later, or used to quietly collect intelligence on infrastructure planning, procurement, maintenance, and resilience strategies.

In critical infrastructure environments, the line between espionage and operational risk can be thin. Even if an intrusion does not trigger an outage, persistent access to industrial networks creates the potential for disruption during a future crisis, and it can provide a detailed map of how systems behave under stress.

Communications, Government, Healthcare, and Technology Were Also Targeted

While energy saw the largest year-over-year surge, the NSB says multiple other sectors experienced notable targeting.

The emergency rescue and hospitals sector saw a reported 54% increase in cyberattacks in 2025. The report states that threat actors used ransomware to compromise the operation of major hospitals and that stolen data from medical institutions was sold on dark web forums. Taiwan says at least 20 such cases were identified during the year.

The communications and transmission sector saw a smaller but still meaningful rise, with Taiwan describing adversary-in-the-middle activity and persistent access efforts via network equipment flaws. The report suggests that telecom infrastructure and service provider networks were probed as pathways into sensitive communication links, including backups.

Government agencies were targeted through phishing and data theft attempts, with “highly tailored” social engineering messages aimed at specific departments. Meanwhile, Taiwan’s technology sector was targeted through supply chain and social engineering activity intended to steal advanced semiconductor and industrial technologies, including upstream, midstream, and downstream suppliers connected to science parks and defense-adjacent manufacturing.

Chinese Threat Groups Named in the NSB Report

Taiwan’s NSB attributed the activity to multiple Chinese threat groups that are widely associated with long-running espionage and infrastructure targeting campaigns.

The report names:

• BlackTech
• Flax Typhoon
• Mustang Panda
• APT41
• UNC3886

The NSB says these groups focused operations on five primary sectors: energy, healthcare, communications and transmission, administration and agencies, and technology. The report’s framing emphasizes that these attacks are not random. They are directed at systems that support national continuity and high-value industrial advantage.

International Cooperation and a Larger Regional Security Trend

Taiwan’s NSB says it is cooperating with more than 30 countries that identify China as a major cyber threat and is participating in intelligence sharing and joint investigations into malicious infrastructure.

The bureau’s statement places Taiwan’s experience inside a wider pattern. It notes that cybersecurity agencies and intelligence services across the Indo-Pacific, NATO, and the European Union repeatedly identified China as a primary source of global cybersecurity threats throughout 2025.

The NSB also argues that China has integrated military, intelligence, industrial, and technological capabilities across both public and private sectors to increase the depth and stealth of its external cyberattacks. In practical terms, this implies an ecosystem where tooling, access methods, vulnerability exploitation, and infrastructure can be shared or coordinated at scale.

Why a 1,000% Energy Sector Surge Is a Strategic Warning Signal

A tenfold increase in attacks against energy infrastructure is more than a cybersecurity statistic. It indicates that Taiwan’s energy sector is being treated as a priority target in an environment where cyber operations are tied to geopolitical pressure.

Energy systems are foundational. Persistent access to their networks can provide intelligence about operational planning, procurement, and resilience measures, and in a crisis scenario, access can become leverage.

Even when intrusions do not cause immediate outages, they can degrade trust, increase operational costs, and force defensive shifts that affect long-term planning. When combined with coordinated political and military activity, energy-focused cyber operations can function as part of a broader coercive strategy.

For more reporting on state-backed intrusion campaigns and critical infrastructure targeting, explore the latest updates in the data breaches and cybersecurity sections.