Taiwan’s National Security Bureau revealed that during 2025, cyber forces linked to China launched an average of approximately 2.63 million intrusion attempts per day against Taiwan’s critical infrastructure.
Although the activity occurred throughout 2025, the findings were formally released on January 4, 2026, signaling that the threat remains active, adaptive, and ongoing, rather than historical or resolved.
Scope of Targeted Infrastructure
According to the report, attackers focused on systems whose disruption could have nationwide cascading effects, including:
- Energy and utilities – power generation, grid management, and backup systems
- Healthcare – hospital networks, patient data systems, and emergency services
- Communications – telecom operators, internet backbone services, and data centers
Officials emphasized that these sectors were not merely probed but continuously scanned and stressed, suggesting preparation for potential future escalation rather than immediate destruction.
Tactics, Techniques, and Objectives
The National Security Bureau outlined a diverse and evolving set of attack methods:
- Vulnerability exploitation: Rapid weaponization of newly disclosed software and hardware flaws
- DDoS campaigns: Designed to degrade availability and test system resilience
- Supply-chain attacks: Attempts to compromise vendors, contractors, and managed service providers
- Social engineering: Phishing and impersonation aimed at credential theft and lateral access
Rather than relying on a single vector, attackers used layered and redundant approaches, increasing the likelihood of partial access even when primary defenses held.
Political Timing and Psychological Pressure
A key finding was the presence of sharp spikes in attack activity aligned with major political moments, including elections, cross-strait developments, and high-profile diplomatic events.
Taiwanese officials assessed that these surges served multiple purposes:
- Testing surge capacity of cyber defenses
- Creating public uncertainty and institutional stress
- Signaling cyber reach and persistence without overt military action
This pattern aligns with broader gray-zone tactics, where pressure is applied continuously below the threshold of armed conflict.
Strategic Assessment
The bureau characterized the campaign as:
- Persistent – millions of attempts daily over an extended period
- Regionally significant – reflective of broader Indo-Pacific cyber competition
- Preparatory in nature – consistent with reconnaissance and access-seeking behavior
While no catastrophic infrastructure failures were publicly attributed to these attacks, officials stressed that absence of visible damage does not equate to absence of impact, particularly in long-term intelligence collection and access positioning.
Defensive Posture and Ongoing Risks
Taiwanese authorities reported strengthening:
- Cross-agency cyber coordination
- Real-time threat intelligence sharing
- Public–private cooperation with infrastructure operators
However, the bureau warned that the scale and automation of hostile cyber activity continue to grow, placing sustained pressure on defenders and increasing the risk of miscalculation or spillover during future crises.
Bottom Line
The January 2026 disclosure reframes 2025’s activity not as a closed chapter, but as part of a long-running, intensifying cyber contest in which critical infrastructure has become a frontline domain.
