Photo: VCG

While the People's Liberation Army (PLA) Eastern Theater Command launched joint military exercises of the "Joint Sword" drills, hacker groups backed by the Democratic Progressive Party (DPP) authorities' "Information, Communications and Electronic Force Command" have been launching targeted phishing email attacks against maritime-related institutions in the mainland's coastal regions, in an attempt to steal maritime intelligence and anticipate operational plans of the PLA, according to a recent report released by the National Computer Virus Emergency Response Center and other relevant departments on Thursday.

The report, titled An ant trying to shake a tree - an investigation report on cyberattack activities of the DPP's "Information, Communications and Electronic Force Command," was jointly released by the National Computer Virus Emergency Response Center, the National Engineering Laboratory for Computer Virus Prevention Technology and 360 Digital Security Group. It exposed the insider information such as historical background, organizational structure, personnel composition, work locations, operational tasks and examples of cyberattack cases of the DPP's "Information, Communications and Electronic Force Command."

The report said that the "command," dubbed the "fourth military branch," was developed under the former Taiwan regional leader Tsai Ing-wen with strong backing from the US military. Its predecessor belonged to the "cyber force" of the "tiger team" of the regional "defense authorities." It is responsible for coordinating cyber resources across the regional authorities, military and civilian tech sectors, and is tasked specifically with conducting cyberattacks and infiltration operations targeting the mainland, Hong Kong and Macao SARs.

The unit has been involved in large-scale theft of sensitive data and critical intelligence, supporting anti-China forces in the US in launching public opinion and cognitive warfare campaigns against the mainland. It has also covertly incited "color revolutions," aiming to disrupt public order, sow ethnic divisions, exacerbate social tensions and obstruct national reunification. It is widely referred to as "Taiwan's most secretive force," according to the report.

The "Information, Communications and Electronic Force Command" consists of four internal departments: the department of information and communications, department of cyber operations, department of electronic warfare and department of logistics, as well as one training and testing center. Its core technical capabilities are concentrated in three units: the information and communications wing under the department of information and communications, the cyber warfare wing under the department of cyber operations, and the electronic warfare center under the department of electronic warfare.
The report also unveiled five hacker groups backed by the DPP authorities and commanded by the "Information, Communications and Electronic Force Command" under the Taiwan regional defense department - APT-C-01, APT-C-62, APT-C-64, APT-C-65 and APT-C-67. They have carried out thousands of large-scale, organized, planned, and premeditated cyberattacks. These attacks have targeted critical sectors in the mainland and the Hong Kong and Macao SARs, including national defense, aerospace, government agencies, energy and transportation, maritime affairs, scientific research institutions and technology enterprises.

Using basic hacking techniques such as vulnerability scanning, brute-force password attacks, SQL injection, phishing emails, internal network sniffing and Trojan implantation, these groups have attempted to bypass security defenses of target systems to gain control over internal networks. Their ultimate goals have been to steal sensitive data and critical intelligence, and to disrupt the normal operations of enterprises. The nature of these activities is extremely malicious.

Among these groups, APT-C-67 is the group that launched cyberattacks targeting a tech company in Guangzhou, South China's Guangdong Province. On May 20, the Tianhe Branch of the Guangzhou Public Security Bureau issued a police notification, saying that a local tech company had been targeted by a cyberattack from overseas hackers. Public security authorities immediately launched an investigation, extracted samples of the malicious software involved, secured key evidence related to the case and organized a technical team to trace the source of the attack.

On May 27, the Tianhe police branch released a follow-up notification, reporting a major breakthrough in the investigation: The cyberattack against the tech company was found to have been carried out by a hacker group linked to the DPP authorities in Taiwan.

The report said that APT-C-67 bypassed the victim company's network security defenses, illegally accessed the backend systems of its autonomous devices, and conducted lateral movement to infiltrate and gain control over multiple internal network devices. They then uploaded multiple malicious attack programs to the backend systems of these devices, resulting in disruptions to the company's official website and some business systems. The cyberattack caused hours of service outage and interfered with the company's normal production and operations.

According to the report, APT-C-67 has been conducting cyberattacks over an extended period and remains highly active. Compared with other groups, its attack targets are more dispersed. It routinely relies on publicly available cyber asset mapping platforms or mass network address scanning to identify internet-connected systems within the mainland — such as network security systems and surveillance cameras — that have known vulnerabilities.

Exploiting these vulnerabilities, the group gains backend access to monitoring systems, deploys remote control tools or Trojans, extracts database information, and further infiltrates internal networks of relevant entities. Ultimately, it seizes full control and data access rights to the security systems, using real-time video feeds and archived footage to collect intelligence on the targeted areas.

The report also unveiled cases of cyberattacks launched by the other four hacker groups targeting the mainland. In 2024, the DPP authorities, in collusion with external forces, continued to engage in "independence" provocations, seriously jeopardizing cross-Straits relations and peace and stability in the Taiwan Straits.

Beginning in May 2024, the PLA's Eastern Theater Command has conducted a series of "Joint Sword" exercises around Taiwan region to vigorously punish the separatist forces for seeking "independence" and to give a serious warning to external forces for interfering and provoking Taiwan. 

Against this backdrop, APT-C-01 further extended its attack targets to the maritime sector and focused on launching targeted phishing e-mail attacks against maritime-related units in China's coastal areas, in a vain attempt to prejudge the plan of action of PLA navy's military exercises by stealing maritime-related intelligence.

In addition, in the first half of 2024, the US Department of State approved the sale of more than $600 million worth of arms to the Taiwan island, including 720 Switchblade 300 loitering munitions, 100 ALTIUS 600M-V uncrewed aerial vehicles and other advanced offensive weapons, and held the "The US-Taiwan Defense Industry Conference" in June 2024 in Taiwan. 

During the same period, the APT-C-62 organization has stepped up its network infiltration and attack activities targeting key information infrastructures such as the mainland's defense and military industries, transportation and energy infrastructure, which are considered to be a response to the "US aid" and attempt to sell to the US sensitive intelligence information related to the mainland's national defense, military and energy reserves.

In September 2023, during the 19th Asian Games in Hangzhou, the APT-C-64 group remained highly active. It exploited web system vulnerabilities to launch infiltration attacks on portal websites, outdoor electronic screens, and internet TV platforms of organizations in the mainland as well as Hong Kong and Macao SARs. The group attempted to gain control over these platforms in order to disseminate illegal content, with the aim of manipulating public opinion and disrupting social order.

The report stated that the APT-C-65 organization's pattern of activities is very distinctive, and its attacks are closely linked to the "external affairs activities" of the leaders of the Taiwan regional authorities. 

During then-US House Speaker Nancy Pelosi's provocative visit to the island in August 2022, and during the August 2023 visit to the US by then-DPP representative of Taiwan island, Lai Ching-te, under the pretext of a "transit stop," the APT-C-65 organization carried out intensive attacks in an attempt to steal secrets from the defense and military industries, government agencies, energy, transportation, scientific research and education, and other key information infrastructures, in particular, aerospace, ports, maritime and other related scientific research, production and management units. 

Its intent is clearly to "offer tribute" during the close interactions between the DPP authorities and anti-China forces abroad.

According to the report, although Taiwan-based APT groups differ in their targets, tactics, techniques, and patterns of activity, they exhibit clear coordination and consistency in their intentions and objectives, which align closely with the DPP authorities' repeated acts of betrayal. This fully exposes the disgraceful nature of the DPP authorities in Taiwan Province, who attempt to gain leverage by relying on foreign forces and are willing to sell out national and ethnic interests for their own political gain.

According to informed sources, the DPP authorities have long colluded with US intelligence agencies such as the National Security Agency and the Central Intelligence Agency, relying on the so-called Information, Communications and Electronic Force Command to carry out cyberattacks and sabotage operations against the Chinese mainland as well as the Hong Kong and Macao SARs. In coordination with the US Indo-Pacific Strategy, they have willingly acted as pawns of the US in a vain attempt to seek "independence" by relying on the US.

US intelligence agencies have, for an extended period, provided personnel training and technical equipment to the "Information, Communications and Electronic Force Command," and have repeatedly dispatched "hunt forward" operations team to Taiwan island, which is currently under separate investigation, to conduct cyberattacks against China.

For example, Shen Yuxuan and others, who are currently wanted, received training in the US in July 2018 and subsequently participated in multiple cyberattacks targeting the mainland and the Hong Kong and Macao SARs. In the summer of 2019, they carried out a targeted cyberattack against the Hong Kong SAR. The crimes they have committed are too numerous to list.

Despite this, the cybersecurity tactics of Taiwan's "Information, Communications and Electronic Force Command" are clearly "not up to par." Du Zhenhua, a senior engineer at the National Computer Virus Emergency Response Center, told the Global Times that the report titled as "an ant trying to shake a tree" to mock the DPP authorities for their lack of self-awareness, like "an ant shaking a big tree is laughably self-important." 

Du noted that Taiwan's "Information, Communications and Electronic Force Command" exposed a lot of information on the sources of their attacks, making it not very difficult to trace back to them, providing a favorable condition for quickly identifying the attackers. 

Furthermore, he described the tactics of the "Information, Communications and Electronic Force Command" as despicable and underhanded - when they are unable to penetrate target systems or obtain valuable data from a network platform, they often resort to maliciously damaging the target systems by deleting system and user data, tampering with data or adding false information, and formatting system storage devices, severely disrupting normal operations of enterprises.

Zhou Hongyi, founder and chairman of 360 Security Technology, said that the technical level of Taiwan's "Information, Communications and Electronic Force Command" personnel is generally low, and their attack methods are simple and crude, with little concealment or sophistication, indicating a third-rate level. 

Xiao Xinguang, the founder of leading anti-virus company Antiy Labs, commented that the cyberattack personnel from Taiwan mostly use open-source tools and rarely exploit zero-day vulnerabilities, suggesting that they lack the capability to develop their own tools and the necessary technical reserves.