China is using cyber attribution to pressure Taiwan

Then-president Tsai Ing-wen attends the ICEFCOM headquarters inauguration in June 2017. Photo: Office of the President of the Republic of China/Wikimedia Commons

Public attribution of cyber activities is China’s latest technique for pressuring Taiwan and shaping the international dialogue around cybersecurity. While this isn’t the first time the Chinese government has publicly attributed cyber activity targeting it (that was aimed at the United States in 2022), in September 2024, the Chinese government launched a campaign of publicly identifying cyber operations attributed to Taiwan’s government. 

So far, this campaign has included the release of three sets of information on Taiwanese cyberattacks. All three attributed intrusion activity to Taiwan’s cyber command, the Information, Communications, and Electronic Force Command (ICEFCOM), and each included typical Chinese government rhetoric criticising ‘secessionist’ elements in Taiwan. These releases are notable for the increasing number of individuals identified in each (three, four, and then twenty) and for their illustration of the tight relationship between the Chinese government and private cybersecurity companies based in China

This campaign likely serves multiple goals, including pressuring Taiwan, counterbalancing international allegations of Chinese hacking, and even painting Taiwan as an aggressor to justify future Chinese operations. These releases threaten individuals working for Taiwan’s military with arrest and attempt to persuade others not to support actions against the mainland. The latter two of these releases went further, explicitly tying ICEFCOM to Taiwan’s ruling Democratic Progressive Party (DPP), which China views as a barrier to reunification. 

For the last decade, the United States and its allies have regularly released information and indictments blaming China for hacks against their countries. China has always denied these claims, but now appears to be mirroring Western name-and-shame tactics to persuade audiences in China, Taiwan, and third countries that Taiwan is just as much of a cyber threat. 

An escalating series of information releases

The campaign began on September 22 last year, when China’s main intelligence agency, the Ministry of State Security (MSS), posted on WeChat that a little-known hacktivist group calling itself ‘Anonymous 64’ was actually run by Taiwan’s cyber command. They went on to identify three individuals who they claim are responsible for Anonymous 64’s activities. Anonymous 64’s now-suspended X account claimed responsibility for defacing the website of a Chinese urban rail conference and hacking digital signs in Hong Kong and other places to display an anti-Chinese Communist Party (CCP) image (below). The post goes on to say the authorities have filed a case against the three people involved, but no further details are given.

On March 16, the MSS followed up with a second WeChat post about Taiwanese hacking, this time a high-level profile of Taiwan’s cyber command. The post states that ICEFCOM is a cyber warfare unit that conducts espionage, sabotage, and propaganda operations against China. The report focuses on propaganda activities, claiming they supported ‘the DPP authorities’ “independence” actions’. It also identifies four additional alleged ICEFCOM members, sharing their names, birthdays and Taiwanese ID numbers, and criticises Taiwan’s government for wasting money and corruption among ICEFCOM commanders. 

This second MSS post appeared to be coordinated with the release of information on the Taiwanese cyber command by private Chinese cybersecurity firms. On March 17, the day after the MSS post, three cybersecurity companies released detailed blogs describing the tactics, techniques, and procedures of ICEFCOM, which they track under various vendor-specific names. Antiy CERT released a blog detailing a campaign conducted by the group in fall 2024. QiAnXin released an overview on the group, which they call APT-Q-20, detailing a spring 2025 campaign that attempted to steal login credentials. Finally, DAS-Security (Anheng) published a report with some technical details and indicators of compromise, but went further than the others in echoing the MSS claim that Taiwan’s cyber command is behind the hacking. None of the blogs mention the MSS post directly, but their publication was very likely planned in concert, given the close timing. 

Finally, in late May, Chinese authorities made a third attribution to Taiwan, when local police in Guangzhou province posted a note on their Weibo stating that a ‘foreign hacker organization’ had targeted a local technology company. A week later, another post said that the police, working with ‘national authoritative agencies’ had determined that the attack had been carried out by ‘a hacker group related to the DPP authorities in Taiwan’. Media reporting also stated that cybersecurity company Qihoo 360 had assisted in the attribution, with their founder Zhou Hongyi cited as saying they had used ‘network security intelligence’ without giving any details. The posts continued to escalate on June 5, when the Tainhe District Branch released a ‘reward notice’, identifying twenty individuals who were involved in the operation, along with their pictures and Taiwan ID numbers.

Attribution campaign supports Chinese priorities and government rhetoric 

This series of public attributions to Taiwan accomplishes multiple goals for China’s intelligence agency. Since August 2023, when it debuted its WeChat account with a stated intent of educating the public about the need to be vigilant against foreign espionage, the MSS has been much more vocal about its activities. They have released a plethora of case studies about espionage operations they have disrupted. The releases on Taiwanese hacking are always coupled with appeals to the public to be vigilant about cyber hygiene and to report incidents to the authorities, highlighting their educational role. It is unlikely that these releases are based on new information; Taiwanese cyber command activity has been public knowledge as far back as 2014.

The attributions also support rhetorical efforts to intimidate Taiwan and interfere in its domestic politics. This campaign hit a high point in March this year, when the Chinese military’s Eastern Theater Command released videos depicting, among other things, Taiwanese President and DPP leader Lai Ching-te as an insect leading Taiwan to destruction and calling him a parasite. This focus on Lai and the DPP is reflected in characterisations of Taiwan-based hacking. While the September 2024 report links hackers to ‘Taiwan independence’ forces, by April 2025 they were said to be carrying out instructions ‘issued by the DPP authorities’. Finally, in the May release, Taiwan’s cyber command is not mentioned; instead, the perpetrators are referred to as ‘a hacker group related to the Democratic Progressive Party authorities in Taiwan, China’. The escalating focus on the DPP also fits with Chinese attempts to paint the party as a ‘troublemaker’ and to draw a contrast with the opposition Kuomintang, which typically takes a more conciliatory stance towards Beijing.

The campaign of attribution against Taiwan is in marked contrast to how China has attributed US activity. While the past two years have seen China increasing its pace of publicly attributing cyber operations to the United States, these attributions have been done via China’s National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT/CC), rather than the MSS. These releases have had similar splashy graphics and coverage in state media, but they have not tied the intrusions to a particular US political party, a difference of approach worthy of further investigation. 

The importance of the private sector 

The private sector has played a key part in MSS attributions to Taiwan. Publicising technical evidence that supports the intelligence agency’s assertions and gives more detail on the techniques used by the alleged Taiwanese group increases the credibility of the accusations. The MSS likely has significant internal evidence to support its conclusions, but may be leaning on private companies to release data publicly to sidestep declassification requirements. 

This close coordination between private sector cybersecurity companies and the Chinese government demonstrates that the companies are prioritising winning favour with the CCP over their ability to win business outside of China. The companies have been willing to attribute activity to Taiwan before, with Antiy releasing a much more detailed attribution of ICEFCOM (which they track as Green Spot) to Taiwan in 2018. However, this close and public coordination with Chinese intelligence is a new phenomenon that would give potential customers outside China pause. The companies’ willingness to go along with MSS plans shows they do not believe they have a significant potential market in countries sceptical of China.

More attributions to come

The diversification of the releasing agencies, cooperation of the private sector, and the consistent geopolitical priorities of the CCP mean public attribution of cyber intrusion activity to Taiwan is likely to continue and may increase in volume. The May attribution was released by a local police department, suggesting that these types of public statements are being encouraged within the Chinese security bureaucracy. Prominent coverage of local authorities’ public attributions in leading propaganda organs will likely inspire more parts of the bureaucracy to join in. While these local organisations may not have the internal cyber capabilities to attribute on their own, if they can lean on the private sector for attribution expertise, the volume of attribution will likely rise further.