China identifies Taiwanese hackers allegedly behind cyberattacks and espionage

China’s state security ministry (MSS) has accused four individuals allegedly linked to Taiwan’s military of carrying out cyberattacks and espionage against the mainland.

In a statement on Monday, the MSS identified the suspects as members of Taiwan’s Information, Communications, and Electronic Force Command (ICEFCOM) within the defense ministry. It released their names, headshots, birthdates and job titles.

Beijing claims that ICEFCOM has been conducting cyber operations since 2023, targeting key infrastructure in China, including power grids, water supplies and telecommunications networks. According to the MSS, the agency has hired hackers and cybersecurity firms to support government-directed cyber warfare.

Chinese authorities did not provide detailed evidence of these operations but claimed they involved phishing attacks, propaganda emails targeting government and military agencies, and disinformation campaigns using social media aliases such as Anonymous 64.

In a statement on Tuesday, Taiwanese Premier Cho Jung-tai denied China’s allegations, saying Beijing fabricated them “in order to justify their own ongoing cyberattacks against Taiwan.”

ICEFCOM asserted that its operations focus on national defense rather than offensive cyber activities against China, alleging that Beijing’s “ungrounded” accusations are likely aimed at intimidating the Taiwanese public.

Tit-for-tat

Taiwan and China’s complex and tense relationship — with Beijing claiming self-governing Taiwan as part of its territory — often extends to the cyber realm. 

In a recent report, Taiwanese security officials said Chinese hackers were behind most of the cyberattacks targeting the islands.

“Their techniques have become increasingly sophisticated and cover a wide range of targets, such as government agencies, critical infrastructure, and the high-tech manufacturing industry,” Taiwan’s principal intelligence agency said.

China, in turn, accuses Taiwan of conducting cyber operations against the mainland and has recently begun publicly identifying the alleged threat actors behind the attacks.

China first publicly named alleged Taiwanese hackers in 2024 when the MSS reported on Anonymous 64 — a purported hacktivist group that China claims is actually operated by Taipei — said Dakota Cary, a China-focused consultant at cybersecurity firm SentinelOne. That report revealed the names and photographs of three Taiwanese military personnel accused of involvement with the group. Taiwan denied those accusations.

Identifying foreign hackers is common among some Western cybersecurity companies but the move is new for China, he added.

Following the MSS statement, three Chinese cybersecurity firms — QiAnXin, Antiy, and Anheng Information — published separate reports detailing the activities of an alleged Taiwan-linked state threat actor tracked as APT-Q-20.

According to the reports, the group has been active since 2006 and has targeted government, military, defense, and scientific research institutions in China to obtain sensitive data.

While the reports by QiAnXin and Antiy do not explicitly mention the MSS accusations, their near-simultaneous release suggests possible coordination between Chinese authorities and the cyber firms, said Oleg Shakirov, a cyber policy and international security researcher who first noticed the reports.

Shakirov noted that Anheng Information’s report references the MSS press release but does not directly link Taiwan’s ICEFCOM to APT-Q-20, instead identifying it as a separate cyber espionage entity based on the island.

According to Cary, China has previously coordinated efforts between the state and cybersecurity companies. His prior research found that Chinese cybersecurity firm TopSec allegedly provided services for the government and private sector like web content monitoring used to enforce censorship. 

“It would not be surprising to learn they had coordinated,” Cary said about the recent reports.

Shakirov echoed that sentiment on his Telegram channel, writing: “The degree of coordination can only be speculated about, but for now, it looks like a signal from the authorities in the spirit of: release everything there is on Taiwan.”