Much media attention and scholarly research goes into understanding Chinese hacking campaigns. At the same time, Taiwan’s cyber capabilities are often overlooked, even though public sources indicate that Taiwan is an advanced cyber actor that has successfully and repeatedly breached key Chinese systems for over a decade. Over the last five years, Taiwan has developed organizational structures for offensive cyber capabilities. Taiwan’s cyberespionage capabilities could play a useful role in countering China’s growing disruptive attacks and detecting any military buildup along the Strait, while cyber operations themselves, could be used to react to Chinese cyber actors which have frequently targeted Taiwan, or disrupt the planning capabilities of the People’s Liberation Armed Forces. If a shooting war were to break out, however, cyber operations would likely play a much smaller role than traditional kinetic arms.
The cyber fourth service, i.e., the Information Communication Electronic Force Command (ICEF) is central to Taiwan’s offensive cyber operations. It was inaugurated on July 1, 2017 and brought together communication, cyber, and electronic warfare units under one organizational authority for the first time. The cyber warfare wing is estimated to have around one thousand soldiers, while total ICEF personnel numbers about six thousand. The ICEF is responsible for the operation of the national military network, which keeps track of the location of Taiwanese fighter jets and adversary-launched missiles as well as the smooth running of internal military communication lines.
Antiy, a Chinese anti-virus software provider, has exposed some Taiwanese offensive cyber capabilities. The company has been tracking nation-state hacking activities that it attributes to a Taiwanese group known as Green Spot, alternatively identified as PoisonVine or APT-C-01. The group has allegedly been active since 2007, working mostly from AS3462 and AS18182 (AS stands for Autonomous System, which are networks that act like a virtual post office) in Taiwan. Green Spot has traditionally targeted the Chinese government, military, and aviation sectors in their espionage operations. Antiy judges that the Green Spot threat actor does not display the most advanced capabilities seen in some other threat actors, but places it in the medium to high capability range, due to its proficient use of anti-virus evasion techniques and occasional deployment of zero-days in campaigns.
The other publicly known advanced Taiwanese hacking group is Sapphire Mushroom, also known as APT-C-12. It has been active since 2011. This group focuses not only on traditional targets, such as military institutions, Chinese embassies, or the finance sector, but also on the Chinese nuclear industry. Researchers from the Chinese cybersecurity company 360 note that the group’s activity decreased after they were exposed in reports in 2018. Since then, they appear to concentrate for a short period on a specific target and then disappear. 360 notes that Sapphire Mushroom has recently upgraded its tactics and techniques to disguise file transfers as normal traffic by using private cloud storage servers for command-and-control purposes.
One of the risks to the successful deployment of Taiwanese cyber capabilities in a potential conflict with China is a lack of internet connectivity. In the event of a Chinese invasion, internet connectivity on and to Taiwan might be severely restricted if not cut off entirely. Taiwanese submarine cable landing stations and the cables itself are only minimally protected and vulnerable. Taiwan is already attempting to close this vulnerability, through projects such as the recently laid Pacific Light Cable Network connecting Taiwan to the United States and the Apricot cable system (expected to be operational in 2024) that will link Taiwan to Japan and other regional neighbors. Taipei should also consider building ocean surveillance ships to keep cables protected. Taiwan’s creation of a backup satellite communications network is another way to build redundancy if undersea cables are severed. These changes will give Taiwanese cyber operators a better chance of staying online in the case of a potential conflict with China.
The vast majority of ICEF operations probably occur in the gray zone, below the threshold of armed conflict. Given Taiwanese operators’ capabilities, it is reasonable to assume that they would try to disrupt Chinese cyber groups before they can launch attacks, and provide technical guidance to Taiwanese organizations on how to counter common malware and vulnerabilities. If Chinese military operations look imminent, the ICEF would hope to disrupt logistical systems and steal information to gain insight into Beijing’s objectives. In the case of an invasion, cyberattacks would be designed to give Taiwan and its allies more time to coordinate comprehensive military assistance and a punitive sanctions regime. Offensive cyber strategy should reinforce Taiwan’s shift away from a focus on large, expensive platforms, which could be more easily located, targeted, and destroyed, toward more distributed, asymmetric capabilities to slow any Chinese aggression and give it more flexibility to respond to Chinese escalation.
While Chinese cybersecurity companies and state media have been keenly watching the maturation of Taiwan’s cyber capabilities, it is unclear how Chinese defense planners and decision makers evaluate the ICEF and its cyber capabilities. The continued commitment of resources and personnel on the other side of the Strait suggest, however, that Taiwanese leaders at the very least believe additional offensive cyber will give Taiwan a better capacity to respond to China’s ongoing gray zone campaign, and also provide warning of any potential escalation to armed conflict.
