China's Cyber Siege: Taiwan Faces 2.6 Million Daily Attacks in Coordinated Hybrid Warfare Campaign

Taiwan's critical infrastructure endured nearly one billion cyberattacks throughout 2025, according to newly released data from the island's National Security Bureau (NSB), marking an unprecedented escalation in what security officials describe as coordinated "hybrid warfare" tactics that blend digital intrusions with military pressure. This campaign aligns with broader Chinese cyber operations targeting global network infrastructure observed throughout 2025.

The Scale of Digital Aggression

The NSB report reveals that Taiwan's essential services faced an average of 2.63 million intrusion attempts daily in 2025, representing a 6% increase from the previous year and a staggering 113% surge since 2023, when the bureau first began publicly tracking these metrics. The cumulative assault totaled approximately 960 million attempted breaches targeting nine critical sectors spanning government agencies, energy systems, healthcare facilities, telecommunications networks, transportation infrastructure, emergency services, water resources, financial systems, and the semiconductor manufacturing parks that anchor Taiwan's economy.

The energy sector bore the brunt of this digital onslaught, experiencing a tenfold increase in attack volume compared to 2024. Emergency services and hospitals saw intrusion attempts climb 54% year-over-year, raising urgent concerns about potential disruptions to public safety and medical care. These targeted campaigns against life-critical infrastructure suggest adversaries are mapping vulnerabilities that could be exploited during periods of heightened geopolitical tension or conflict.

The Threat Actor Landscape

Taiwan's intelligence services identified five primary Chinese state-sponsored hacking groups orchestrating these operations: BlackTech (also tracked as Circuit Panda and Canary Typhoon), Flax Typhoon (Ethereal Panda), Mustang Panda (Basin, Bronze President), APT41 (Bronze Atlas, Brass Typhoon, Double Dragon), and UNC3886. Each group demonstrated specialized targeting preferences aligned with strategic intelligence collection priorities.

BlackTech concentrated operations against communications infrastructure and science parks housing Taiwan's vital semiconductor industry. Flax Typhoon appeared to lead hospital targeting efforts, deploying at least 20 ransomware campaigns throughout 2025 designed to cripple major medical facilities while simultaneously exfiltrating patient data for sale on dark web marketplaces. This pattern reflects broader trends in healthcare targeting that made the medical sector the most heavily attacked critical infrastructure category in 2025. Mustang Panda and APT41 both prioritized energy infrastructure penetration, conducting intensive reconnaissance of industrial control systems operating petroleum facilities, electrical grids, and natural gas distribution networks. UNC3886 maintained focus on the technology sector, particularly the science parks where companies like TSMC develop and manufacture the advanced semiconductors that power global artificial intelligence systems.

Attack Methodology and Technical Tactics

The NSB report outlined four primary attack vectors employed by Chinese cyber forces: hardware and software vulnerability exploitation, distributed denial-of-service (DDoS) operations, social engineering campaigns, and supply chain compromise. These tactics align with global patterns of critical infrastructure targeting observed throughout 2025.

Vulnerability exploitation accounted for over half of all intrusion attempts, underscoring Beijing's investment in weaponizing zero-day flaws and unpatched security gaps across network equipment, industrial control systems, and enterprise software. Threat actors demonstrated particular sophistication in targeting telecommunications providers, exploiting vulnerabilities in edge network equipment to establish persistent access to both primary and backup communication channels.

DDoS attacks aimed to overwhelm critical systems and disrupt public services, creating chaos and degrading citizen confidence in government capabilities. Record-breaking DDoS operations in 2025 demonstrated how volumetric attacks have evolved into strategic weapons capable of paralyzing entire sectors. Man-in-the-middle attacks enabled adversaries to intercept sensitive communications and steal classified information flowing through compromised telecommunications networks.

Perhaps most concerning, Chinese operators increasingly targeted upstream, midstream, and downstream suppliers within Taiwan's semiconductor and defense supply chains. By compromising vendors, contractors, and service providers, attackers gained indirect access to high-value targets while maintaining operational security. This supply chain infiltration strategy, which emerged as a dominant attack vector in 2025, allowed adversaries to implant malware during software updates, equipment maintenance windows, and system upgrade cycles—precisely the moments when security defenses are often relaxed.

Synchronization with Military Operations

The report's most alarming finding concerns the precise coordination between cyber operations and kinetic military activities. Throughout 2025, China conducted 40 "joint combat readiness patrols" involving warplanes and naval vessels operating in Taiwan's vicinity. Cyberattack intensity escalated during 23 of these military exercises, demonstrating calculated integration of digital and physical coercion.

Attack volumes also spiked during politically sensitive moments. When President Lai Ching-te delivered his first anniversary address in May 2025, cyber operations surged. Similarly, when Vice President Hsiao Bi-khim addressed European Parliament lawmakers in November, intrusion attempts intensified dramatically. This correlation pattern suggests Chinese cyber forces operate under directives that align digital operations with broader strategic messaging and political coercion objectives.

Strategic Implications: Hybrid Warfare in Practice

Security analysts view this synchronized approach as evidence that Beijing is actively rehearsing the cyber component of a potential Taiwan conflict scenario. The sustained campaign serves multiple strategic purposes: mapping critical infrastructure vulnerabilities, testing Taiwan's incident response capabilities, straining defensive resources, and signaling displeasure with Taiwan's international engagement while maintaining plausible deniability below the threshold of armed conflict. These tactics mirror Chinese cyber operations against U.S. telecommunications providers and other strategic targets throughout 2025.

The concept of "hybrid warfare" involves combining conventional military pressure with information operations, economic coercion, and cyber attacks to achieve political objectives without necessarily resorting to full-scale invasion. Russia's 2022 invasion of Ukraine demonstrated how cyber operations could precede and support kinetic military action. China appears to be adapting these lessons, integrating cyber capabilities into multi-domain operational planning while studying how to achieve "information dominance"—the ability to control, manipulate, and defend information flows to maximize warfighting effects.

The systematic targeting of Taiwan's semiconductor industry carries particular significance given TSMC's role as the world's dominant producer of advanced chips essential to AI development, military systems, and virtually all modern electronics. Theft of proprietary manufacturing processes, design specifications, and operational intelligence directly supports China's national objective of achieving technological self-sufficiency and reducing dependence on foreign semiconductor sources—a critical vulnerability in the context of escalating US-China technological competition.

Taiwan's Response and International Cooperation

Recognizing the existential nature of these threats, Taiwan has expanded cybersecurity cooperation with over 30 countries worldwide. The NSB participates in information security dialogues and technical conferences aimed at obtaining timely intelligence on emerging Chinese attack patterns and tactics. Through international partnerships, Taiwan conducts joint investigations into malicious relay infrastructure, shares threat indicators, and coordinates defensive responses.

The report notes that intelligence services and security agencies across the Indo-Pacific region, NATO member states, and the European Union have repeatedly identified China as a primary source of global cybersecurity threats. This international consensus, documented in comprehensive threat intelligence assessments, provides Taiwan with valuable external validation and creates opportunities for multinational defensive coordination.

The Road Ahead

Taiwan's experience serves as a preview of how modern conflicts may unfold in an increasingly connected world. The blurring of boundaries between peacetime cyber espionage and wartime infrastructure attacks creates strategic ambiguity that benefits aggressors while complicating defensive planning and international response frameworks.

As geopolitical tensions persist in the Taiwan Strait, the cyber domain will remain a central arena for competition. The sheer volume and sophistication of ongoing attacks—nearly three million daily intrusion attempts—demands sustained investment in defensive capabilities, workforce development, supply chain security, and international cooperation. Taiwan's experience fits within the broader 2025 cybersecurity threat landscape characterized by escalating state-sponsored operations, critical infrastructure targeting, and the weaponization of cyber capabilities for geopolitical objectives. The question is no longer whether cyber operations will play a role in future conflicts involving Taiwan, but rather how prepared the international community is to respond when digital attacks transition from persistent harassment to operational warfare.

For defenders worldwide, Taiwan's ordeal offers critical lessons: critical infrastructure requires defense-in-depth approaches that assume breach and prioritize resilience, supply chains represent attack surfaces requiring continuous monitoring and vetting, and cyber capabilities must be integrated into broader national security planning rather than treated as standalone technical challenges. The 960 million attacks Taiwan faced in 2025 weren't merely a security problem—they were a strategic signaling campaign, intelligence collection operation, and operational rehearsal combined into a sustained digital siege that shows no signs of abating.

This analysis is based on Taiwan's National Security Bureau report "Analysis on China's Cyber Threats to Taiwan's Critical Infrastructure in 2025" and reporting from Reuters, Focus Taiwan, and cybersecurity industry publications. China routinely denies all accusations of conducting cyberattacks.