Cyberattacks on Taiwan started several days before Pelosi arrival: report

The August cyberattacks targeting the government and infrastructure of Taiwan began days before U.S. House Speaker Nancy Pelosi became the first high-ranking U.S. official in 25 years to visit the country, according to a a new report from cybersecurity firm Trellix.

Researchers from the company's Advanced Research Center said their telemetry data showed a spike in detections in Taiwan, with over 32,000 detections of suspicious activity — ranging from malware to vulnerability scanning and more — seen in just one day. 

The system typically tracks about 9,000 to 17,000 detections each day in Taiwan, and the spike caught the researcher’s attention. 


Image: Trellix

“We assess with moderate confidence that the increase in malicious activity detected in Taiwan may be related to active and passive scanning, as well as pre-operational activities, such as actively compromising IoT devices, testing malware or attack vectors prior increasing attack potency, and so on,” Trellix researchers explained. 

“It is also possible that cyberattacks were taking place almost a week before Pelosi’s arrival on the island, starting on the exact day Pelosi’s trip was confirmed, which triggered a spike in detections.”

From July 29 to August 6 — five days before Pelosi arrived and two days after she left the island — Trellix saw a significant increase in detections directed at Taiwan’s government entities and retail stores. 

Some attacks were also targeted toward the technology sector in Taiwan. This data meshes with the extensive media coverage of brazen anti-Pelosi and anti-Taiwan messages displayed on screens in train stations, convenience stores and more. 

Hackers defaced large billboards with messages saying, “The old witch’s visit to Taiwan is a grave challenge to the sovereignty of the Chinese motherland; those who actively support (her visit) will face reprimand from the people of China;” and “War warmonger Pelosi get out of Taiwan.”


Photos taken across Taiwan. Image: Trellix

Days before Pelosi landed in Taiwan, Chinese leader Xi Jinping warned U.S. President Joe Biden that her trip was a violation of the country’s “one China” policy.

“Those who play with fire will perish by it. It is hoped that the U.S. will be clear-eyed about this,” Xi allegedly told Biden, according to a transcript China’s foreign ministry provided to Reuters.

Several websites run by the government of Taiwan were disrupted by distributed denial-of-service (DDoS) attacks hours before Pelosi arrived and Taiwan’s Ministry of National Defense said its network was taken offline by another DDoS incident hours after Pelosi left. DDoS attacks work by flooding sites with junk traffic, making them unreachable.

Chang Tun-Han, a spokesperson for Taiwanese President Tsai Ing-wen, said at the time that the website of the president’s office was hit with an “overseas DDoS attack” that surged traffic levels to 200 times their normal size. 

The websites for the National Defense Ministry, the Foreign Affairs Ministry and the country’s largest airport, Taiwan Taoyuan International were also affected. 

Trellix attributed many of the attacks to a group of hacktivists “who share patriotic sentiments for China” and are likely based in China or have close ties to the country. They could not confirm whether the activity was connected to the Chinese government specifically. 

In total, there were also attacks registered at the National Police Agency, Taiwan Power (Taipower) Company, and Taiwan Highway Administration. The website of National Taiwan University was also defaced. 

The group later claimed it had control over hundreds of thousands of IoT devices in Taiwan that could be leveraged to launch more destructive attacks.  

All of this took place as the Chinese military conducted exercises and jet flyovers around Taiwan. 

“The successful cyberattacks carried out by APT27_Attack against government websites, as well as convenience stores and train station displays have several implications. APT27_Attack demonstrated how cyberweapons can accompany kinetic military action as a useful instrument to protest against and influence foreign policy,” Trellix said. 

“One result of their effectiveness is South Korean president Yoon Suk-yeol declining to meet with Pelosi in the aftermath of cyberattack threats and China’s missile strike in six zones surrounding Taiwan.”

Yoon’s snub of Pelosi was made worse when his office said it was “decided in consideration of our national interest as a whole” — assumed by many to be a clear reference to the situation Taiwan was still facing with China. 

Trellix researchers warned that the success of the cyberattacks, even as limited as they were, may prompt similar efforts alongside more kinetic warfare. 

The group’s “cyber threat efforts effectively complemented China’s official military activity to stoke fear in Taiwan and other nations throughout the region,” Trellix said.

“Furthermore, Chinese netizens praised APT27_Attack as national heroes, which could invite future copycats.“

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.