Discussions about Taiwan’s security often focus on the military domain, but in any crisis, the resilience of Taiwan’s critical infrastructure to Chinese cyberattacks would likely be tested.
Information about critical infrastructure is closely guarded, making it difficult to assess Taiwan’s cyberreadiness. But incidents such as one last month, when a Taiwanese college student halted four high-speed rail trains using only off-the-shelf radio equipment, are hardly encouraging.
There is growing concern about China’s escalating cyber pressure on Taiwan and its possible impact in a crisis. In a speech at the CYBERSEC conference in Taipei earlier this month, Lin Ying-Dar, president of the National Institute of Cyber Security, highlighted the risk that any cyberattack could create cascading failures across other sectors.
Also at the conference, Chuck Weissenborn, CTO at Dragos Public Sector, highlighted a new, China-linked cyberespionage group called Azurite that targets Taiwan and several other countries.
“The only reason you need to collect some of the information they are collecting is if you intend to cause an attack,” he said.
In 2025, on average, China’s cyber army launched 2.63 million intrusion attempts per day against Taiwan’s critical infrastructure, according to a report from Taiwan’s National Security Bureau. That is a 6% increase on the previous year, but more than double the figure from 2023.
Amidst this constant barrage of cyberattacks, Taiwan is a country that still functions very well. That, however, may be less indicative of the resilience of the systems and more suggestive of the attackers’ intentions.
The main aim of these cyberattacks, experts say, may well not be chaos – at least for now. Rather, they’re trying to understand Taiwan’s vulnerabilities.
“The aim is to understand the cyber terrain of the critical infrastructure of Taiwan, and know where and what they can turn off at their military time of choosing,” said William Hagestad, a retired lieutenant colonel in the US Marines and expert on Chinese cyberwarfare.
It is mainly about understanding the vulnerabilities and what they can crash, agrees Dr Shih-Hao Chang, an associate professor at National Taipei University of Technology and member of Taiwan’s Cybersecurity Research Center.
And as AI becomes more advanced, it will offer additional tools for both attackers and defenders. Hagestad highlights the “automated hacking” capabilities increasingly available to China. “For example, you could ask AI to construct a series of attacks against all essential services within Taiwan,” he said. “‘Bring me back all of the IP addresses of every telephone central office in the country, and then run an exploit discoverability tool against that, and make it happen on my command.’”
What is China targeting specifically?
“They’re looking at those systems that support the critical infrastructure of the country: water systems, airports, ports,” said Hagestad. “Anything that, if taken out, would cause confusion amongst the civilian population, so they would start to doubt the Taiwanese government’s ability and resolve to protect them against China if it were to invade.”
Once hackers get into a system, one thing they could do is wreak havoc, he acknowledged. “But I don’t think the Chinese military hackers are bent on destruction because they want to preserve Taiwan and its infrastructure,” he continued. They just want to be able to disable it temporarily.
In the report about Chinese cyberthreats to critical infrastructure, Taiwan’s security agency said that energy and hospital sectors experienced the “most significant year-on-year surge in cyberattacks from Chinese threat actors.”
China’s cyber army continues exploiting vulnerabilities in the websites and systems of major hospitals in Taiwan, utilising ransomware to compromise the operation of those hospitals, the report said. Exploitation of hardware and software vulnerabilities accounted for more than half of the intrusion attempts.
It’s worth noting that the figure of 2.63 million daily intrusion attempts from the report is just the cyberattacks that the government is aware of. The actual number of attacks is “definitely higher” than that, said Chang.
These uncounted attacks are the most concerning because they show how clearly the attackers understand the infrastructure. “They already understand what kind of attack you cannot identify,” he said.
Chang added another caveat: the actual number of cyberattacks matters less than the quality of them. In other words, analysis should focus more on what is being targeted and what kinds of weaknesses are being found. The government is not conducting this kind of analysis, he believes, though his team is working on it themselves.
One of the most striking figures from the report is the 1,000% year-on-year rise in cyberattacks on energy infrastructure.
As a report from the Atlantic Council noted in 2024, “several of Taiwan’s critical infrastructures, such as the electric grid and the water system, are significantly centralised or have other notable vulnerabilities … that increases the potential consequences from a successful cyberattack.”
Due to this centralisation, Taiwan’s grid is fragile even in peacetime (see here for a deeper dive on the power grid vulnerabilities), and therefore it is particularly vulnerable in a conflict.
The government is now working to boost its resilience, but increased use of both renewable power and smart grids may create additional cyber vulnerabilities that can be exploited.
The grid and water systems have some amount of redundancy built in. But if an “attack concurrently happens in many places, the whole thing crashes,” warned Chang.
“Once they understand where to use which protocols to control [certain things], they can control the physical devices,” he said. For “some of our [critical infrastructure], maybe they already know how to do that.”
China’s understanding of Taiwan’s critical infrastructure is likely being enhanced by long-standing use of Chinese hardware. One of the risks raised globally around Chinese hardware has been that it will have been designed to send information back to China, giving China a ‘map’ of a system that makes it easier to work out what to attack.
Officially, the Taiwanese government has stopped buying Chinese hardware. In December 2020, the Executive Yuan began prohibiting the use of Chinese information and communications products by government agencies, including software, hardware and services. Many agencies have clauses in their tenders forbidding the purchase of Chinese products.
But this has failed to stop all new purchases, as Chinese-made equipment can easily be resold by Taiwanese companies. In 2024, a Taiwanese contractor and its subsidiary installed banned Chinese-made equipment and devices at four solar power projects sites at three military facilities, according to the Ministry of National Defense’s Armaments Bureau.
And in 2022, an investigation found that banned security and surveillance products from China had entered Taiwan disguised as Taiwanese brands. According to the reporting, later confirmed by a government investigation, Chinese-made surveillance equipment – labeled as “made in Taiwan” – was discovered at Taiwan’s most important industrial park, which is managed by the Ministry of Economics Affairs. The MOEA has stated that the products violated contract and had been replaced, noting also that the systems were not connected to the internet and so posed no information security leak risk.
Meanwhile, older Chinese systems pre-dating the ban may remain in use in parts of the critical infrastructure. Quickly replacing existing hardware and software – which both work perfectly fine – can be challenging, Chang noted, because of the risk that any issues created by installing new systems could lead to disruption.
Typically, organisations running critical infrastructure don’t upgrade their operational technology systems until necessary due to failure, Felix Wu, dean of the College of Electrical Engineering and Computer Science at National Cheng Kung University, told Domino Theory.
Still, Chang says, “we need to define the timeline… to replace, say, 90%” of these Chinese-made systems, suggesting that the government requires this be done within 5 years. But so far, “our government still doesn’t do that.”
