Photo: VCG

5日，国家计算机病毒应急处理中心等部门发布最新报告显示，在解放军东部战区实施“联合利剑”系列演习的背景下，台湾民进党当局“资通电军”支持的黑客组织重点针对我国沿海地区的海事相关单位展开针对性钓鱼邮件攻击，妄图通过窃取海事相关情报预判解放军军演行动计划。

While the People's Liberation Army (PLA) Eastern Theater Command launched joint military exercises of the “Joint Sword” drills, hacker groups backed by the Democratic Progressive Party (DPP) authorities’ "Information, Communications and Electronic Force Command" have been launching targeted phishing email attacks against maritime-related institutions in the mainland’s coastal regions, in an attempt to steal maritime intelligence and anticipate operational plans of the PLA, according to a recent report released by the National Computer Virus Emergency Response Center and other relevant departments on Thursday.

国家计算机病毒应急处理中心、计算机病毒防治技术国家工程实验室和360数字安全集团5日联合发布了《“蚍蜉撼树”——台民进党当局“资通电军”黑客组织网络攻击活动调查报告》，深度曝光台湾民进党当局“资通电军”的历史背景、组织架构、人员构成、工作地点、工作任务及网络攻击案例等内幕信息。

The report, titled An ant trying to shake a tree – an investigation report on cyberattack activities of the DPP’s “Information, Communications and Electronic Force Command,” was jointly released by the National Computer Virus Emergency Response Center, the National Engineering Laboratory for Computer Virus Prevention Technology and 360 Digital Security Group. It exposed the insider information such as historical background, organizational structure, personnel composition, work locations, operational tasks and examples of cyberattack cases of the DPP’s “Information, Communications and Electronic Force Command.”

报告显示，台湾“资通电军”全称为“国防部资通电军指挥部”，系蔡英文上台后在美国军方支持下着力打造的“第四军种”，其前身隶属于台湾当局“国防部老虎小组”网络部队，负责统筹台当局、台军方与民间网络技术力量，专门负责对大陆和港澳地区开展网络攻击渗透，大肆窃取敏感数据和重要情报信息，配合美反华势力对我开展舆论战和认知战，秘密策动“颜色革命”，妄图扰乱我社会公共秩序，制造族群对立、放大社会矛盾，阻挠国家统一，被外界称为“台湾最神秘的部队”。“资通电军”下设资讯通信处、网络作战处、电子作战处、后勤处等4个内设机构，以及1个具有培训性质的训测中心。其技术力量主要集中在资讯通信处资讯通信联队、网络作战处网络战联队和电子作战处电子作战中心。

The report said that the “command,” dubbed the “fourth military branch,” was developed under the former Taiwan regional leader Tsai Ing-wen with strong backing from the US military. Its predecessor belonged to the “cyber force” of the “tiger team” of the regional “defense authorities.” It is responsible for coordinating cyber resources across the regional authorities, military and civilian tech sectors, and is tasked specifically with conducting cyberattacks and infiltration operations targeting the mainland, Hong Kong and Macao SARs. 

The unit has been involved in large-scale theft of sensitive data and critical intelligence, supporting anti-China forces in the US in launching public opinion and cognitive warfare campaigns against the mainland. It has also covertly incited “color revolutions,” aiming to disrupt public order, sow ethnic divisions, exacerbate social tensions and obstruct national reunification. It is widely referred to as “Taiwan’s most secretive force,” according to the report. 

The “Information, Communications and Electronic Force Command” consists of four internal departments: the department of information and communications, department of cyber operations, department of electronic warfare and department of logistics, as well as one training and testing center. Its core technical capabilities are concentrated in three units: the information and communications wing under the department of information and communications, the cyber warfare wing under the department of cyber operations, and the electronic warfare center under the department of electronic warfare.

报告还揭露了五个由台湾民进党当局支持，并由台当局防务部门下属“资通电军”部队指挥的黑客组织：APT-C-01（毒云藤）、APT-C-62（三色堇）、APT-C-64（匿名者64）、APT-C-65（金叶萝）和APT-C-67（乌苏拉）。这些黑客组织有组织、有计划、有预谋地对大陆和港澳地区国防军工、航空航天、政府部门、能源交通、海事、科研及科技企业等重点部门、重点领域的网络系统，实施数千次大规模网络攻击，通过漏洞扫描、密码爆破、SQL注入、钓鱼邮件攻击、内网嗅探、木马植入等初级网攻手法，尝试绕过目标系统安全防护措施，获取系统内网控制权限，进而窃取敏感数据和重要情报信息、干扰企业正常经营活动，性质极其恶劣。

The report also unveiled five hacker groups backed by the DPP authorities and commanded by the “Information, Communications and Electronic Force Command” under the Taiwan regional defense department — APT-C-01, APT-C-62, APT-C-64, APT-C-65 and APT-C-67. They have carried out thousands of large-scale, organized, planned and premeditated cyberattacks. These attacks have targeted critical sectors in the mainland and the Hong Kong and Macao SARs, including national defense, aerospace, government agencies, energy and transportation, maritime affairs, scientific research institutions and technology enterprises. 

Using basic hacking techniques such as vulnerability scanning, brute-force password attacks, SQL injection, phishing emails, internal network sniffing and Trojan implantation, these groups have attempted to bypass security defenses of target systems to gain control over internal networks. Their ultimate goals have been to steal sensitive data and critical intelligence, and to disrupt the normal operations of enterprises. The nature of these activities is extremely malicious.

其中，APT-C-67（乌苏拉）正是此前官方通报的对广州某科技公司实施攻击的黑客组织。5月20日，广州市公安局天河区分局曾发布《警情通报》称，广州市某科技公司遭境外黑客网络攻击，公安机关立即开展调查，提取相关攻击程序样本，全面固定相关涉案证据，并组织专业技术团队开展技术溯源。5月27日，天河区分局再次发布《警情通报》称，此前境外黑客对我某科技公司进行网络攻击案件，侦查取得重要进展：该公司遭受的网络攻击系中国台湾民进党当局有关的黑客组织所为。

Among these groups, APT-C-67 is the group that launched cyberattacks targeting a tech company in Guangzhou, South China’s Guangdong Province. On May 20, the Tianhe Branch of the Guangzhou Public Security Bureau issued a police notification, saying that a local tech company had been targeted by a cyberattack from overseas hackers. Public security authorities immediately launched an investigation, extracted samples of the malicious software involved, secured key evidence related to the case and organized a technical team to trace the source of the attack. 

On May 27, the Tianhe police branch released a follow-up notification, reporting a major breakthrough in the investigation: The cyberattack against the tech company was found to have been carried out by a hacker group linked to the DPP authorities in Taiwan.

报告称，APT-C-67（乌苏拉）绕过受害公司的网络防护装置，非法进入自主设备的后台系统，并通过横向移动渗透控制多台该公司内网设备，并进一步向这些设备中的后台系统上传多份恶意攻击程序，导致该公司官方网站和部分业务系统受到影响，网络服务中断数小时，对公司正常生产运营造成干扰。

The report said that APT-C-67 bypassed the victim company's network security defenses, illegally accessed the backend systems of its autonomous devices, and conducted lateral movement to infiltrate and gain control over multiple internal network devices. They then uploaded multiple malicious attack programs to the backend systems of these devices, resulting in disruptions to the company’s official website and some business systems. The cyberattack caused hours of service outage and interfered with the company’s normal production and operations.

据介绍，APT-C-67（乌苏拉）组织的攻击活动长期活跃，相比其他组织，该组织的攻击目标比较发散，常态化借助公开的网络资产测绘平台或通过批量网络地址扫描探测，获得我境内暴露在公开互联网上存在已知漏洞的网络安防系统、网络摄像机等物联网系统的网络地址，并利用漏洞获取监控系统后台权限，进一步下发远程控制工具或木马、获取数据库信息，并向相关单位内网渗透，最终获得安防系统的全面控制权限和数据访问权限，利用安防系统的实时视频和历史录像信息对目标所在区域实施情报收集。

According to the report, APT-C-67 has been conducting cyberattacks over an extended period and remains highly active. Compared with other groups, its attack targets are more dispersed. It routinely relies on publicly available cyber asset mapping platforms or mass network address scanning to identify internet-connected systems within the mainland - such as network security systems and surveillance cameras - that have known vulnerabilities. 

Exploiting these vulnerabilities, the group gains backend access to monitoring systems, deploys remote control tools or Trojans, extracts database information, and further infiltrates internal networks of relevant entities. Ultimately, it seizes full control and data access rights to the security systems, using real-time video feeds and archived footage to collect intelligence on the targeted areas.

报告还披露了其它四个黑客组织的特点以及对我实施网络攻击的具体案例。2024年，民进党当局勾连外部势力不断进行谋“独”挑衅，严重危害两岸关系和台海和平稳定。2024年5月开始，解放军东部战区于台湾省周边多次开展“联合利剑”系列演习，对“台独”分裂势力谋“独”行径进行有力惩戒，对外部势力干涉挑衅进行严重警告。在此背景下，APT-C-01进一步将攻击目标延伸到海事领域，并重点针对我国沿海地区的海事相关单位展开针对性钓鱼邮件攻击，妄图通过窃取海事相关情报预判我海军军演行动计划。

The report also unveiled cases of cyberattacks launched by the other four hacker groups targeting the mainland. In 2024, the DPP authorities, in collusion with external forces, continued to engage in "independence" provocations, seriously jeopardizing cross-Straits relations and peace and stability in the Taiwan Straits.

Beginning in May 2024, the PLA's Eastern Theater Command has conducted a series of "Joint Sword" exercises around Taiwan region to vigorously punish the separatist forces for seeking "independence" and to give a serious warning to external forces for interfering and provoking Taiwan. 

Against this backdrop, APT-C-01 further extended its attack targets to the maritime sector and focused on launching targeted phishing e-mail attacks against maritime-related units in China's coastal areas, in a vain attempt to prejudge the plan of action of PLA navy's military exercises by stealing maritime-related intelligence.

此外，2024年上半年，美国国务院批准向台湾出售价值超过6亿美元的武器，其中包括720套弹簧刀300型巡飞弹、100套ALTIUS 600M-V巡飞弹等先进攻击性武器，并于2024年6月在台举办“台美国防产业论坛”。同一时期，APT-C-62组织则适时的加强了针对我国防军工、交通运输、能源基建等关键信息基础设施的网络渗透攻击活动，此举被认为是为了回应“美援”，企图向美国出卖我国防、军事和能源储备相关敏感情报信息。

In addition, in the first half of 2024, the US Department of State approved the sale of more than $600 million worth of arms to the Taiwan island, including 720 Switchblade 300 loitering munitions, 100 ALTIUS 600M-V uncrewed aerial vehicles and other advanced offensive weapons, and held "The US-Taiwan Defense Industry Conference" in June 2024 in Taiwan. 

During the same period, the APT-C-62 organization has stepped up its network infiltration and attack activities targeting key information infrastructures such as the mainland’s defense and military industries, transportation and energy infrastructure, which are considered to be a response to the "US aid" and attempt to sell to the US sensitive intelligence information related to the mainland’s national defense, military and energy reserves.

2023年9月，第十九届杭州亚运会期间，APT-C-64组织持续活跃，多次使用Web系统漏洞渗透攻击我国大陆和港澳地区单位的门户网站、户外电子屏幕、网络电视等平台，妄图通过获取控制权限后投放非法内容，以制造社会舆论，扰乱社会秩序。

In September 2023, during the 19th Asian Games in Hangzhou, the APT-C-64 group remained highly active. It exploited web system vulnerabilities to launch infiltration attacks on portal websites, outdoor electronic screens, and internet TV platforms of organizations in the mainland as well as Hong Kong and Macao SARs. The group attempted to gain control over these platforms in order to disseminate illegal content, with the aim of manipulating public opinion and disrupting social order.

报告称，APT-C-65组织的活动规律特点非常鲜明，其攻击活动与台当局领导人的所谓“外事活动”紧密关联。APT-C-65组织分别在2022年8月时任美国国会众议长南希·佩洛西窜访中国台湾省期间，2023年8月时任台湾省地区民进党代表赖清德以“过境”之名窜访美国期间等期间，对我国防军工、政府机构、能源、交通运输、科研教育等关键信息基础设施领域单位，特别是航空航天、港口、海事等相关科研、生产和管理单位，实施了密集的攻击窃密活动。其目的明显是在台当局与境外反华势力进行近距离接触时进行“纳贡”。

The report stated that the APT-C-65 organization's pattern of activities is very distinctive, and its attacks are closely linked to the "external affairs activities" of the leaders of the Taiwan regional authorities. 

During then-US House Speaker Nancy Pelosi’s provocative visit to the island in August 2022, and during the August 2023 visit to the US by then-DPP representative of Taiwan island, Lai Ching-te, under the pretext of a "transit stop," the APT-C-65 organization carried out intensive attacks in an attempt to steal secrets from the defense and military industries, government agencies, energy, transportation, scientific research and education, and other key information infrastructures, in particular, aerospace, ports, maritime and other related scientific research, production and management units. 

Its intent is clearly to "offer tribute" during the close interactions between the DPP authorities and anti-China forces abroad.

报告称，台APT组织虽然在攻击目标、攻击技战术和活动周期性规律方面各有特点，但在攻击意图、目的以及与台湾省民进党当局频繁采取的“台独”和卖国行径存在明显的协调一致性，充分暴露了台湾省民进党当局妄图“挟洋自重”，为谋取政治私利，不惜出卖民族和国家利益的丑恶嘴脸。

According to the report, although Taiwan-based APT groups differ in their targets, tactics, techniques, and patterns of activity, they exhibit clear coordination and consistency in their intentions and objectives, which align closely with the DPP authorities’ repeated acts of betrayal. This fully exposes the disgraceful nature of the DPP authorities in Taiwan Province, who attempt to gain leverage by relying on foreign forces and are willing to sell out national and ethnic interests for their own political gain.

据相关知情人士透露，台湾民进党当局长期与美国国家安全局（NSA）、中央情报局（CIA）等情治部门狼狈为奸，依托“资通电军”对大陆和港澳地区实施网络攻击破坏活动，配合美国“印太战略”，甘当美国“走狗”，妄图“倚美谋独”。美国情治部门则长期为台湾“资通电军”提供人员培训和技术装备支持，多次派出所谓“前出狩猎”团队赴台（另案调查），对我开展网络攻击。例如，此次被通缉的沈彧璇等人于2018年7月赴美培训后，多次参与实施对大陆和港澳地区网络攻击，并于2019年夏季专门实施了对中国香港特别行政区的网络攻击活动，犯下的罪行罄竹难书。

According to informed sources, the DPP authorities have long colluded with US intelligence agencies such as the National Security Agency and the Central Intelligence Agency, relying on the so-called Information, Communications and Electronic Force Command to carry out cyberattacks and sabotage operations against the Chinese mainland as well as the Hong Kong and Macao SARs. In coordination with the US Indo-Pacific Strategy, they have willingly acted as pawns of the US in a vain attempt to seek "independence” by relying on the US. 

US intelligence agencies have, for an extended period, provided personnel training and technical equipment to the “Information, Communications and Electronic Force Command,” and have repeatedly dispatched "hunt forward” operations team to Taiwan island, which is currently under separate investigation, to conduct cyberattacks against China. 

For example, Shen Yuxuan and others, who are currently wanted, received training in the US in July 2018 and subsequently participated in multiple cyberattacks targeting the mainland and the Hong Kong and Macao SARs. In the summer of 2019, they carried out a targeted cyberattack against the Hong Kong SAR. The crimes they have committed are too numerous to list.

尽管如此，台湾“资通电军”的网络攻击手法明显“学艺不精”。国家计算机病毒应急处理中心的高级工程师杜振华对《环球时报》记者表示，《报告》之所以称之为“蚍蜉撼树”，就是嘲讽台当局的不自量力，“蚍蜉撼大树，可笑不自量”。 

Despite this, the cybersecurity tactics of Taiwan's “Information, Communications and Electronic Force Command” are clearly "not up to par." Du Zhenhua, a senior engineer at the National Computer Virus Emergency Response Center, told the Global Times that the report titled as "an ant trying to shake a tree" to mock the DPP authorities for their lack of self-awareness, like "an ant shaking a big tree is laughably self-important." 

杜振华表示，台湾“资通电军”实施网络攻击时暴露了大量攻击源信息，追踪溯源难度并不大，为我们快速锁定攻击人员提供了有利条件。此外，台湾“资通电军”手段卑鄙，龌龊，针对其不能攻破的目标系统或未窃取到有价值数据的网络平台，他们往往气急败坏，恶意破坏目标系统，删除系统及其用户数据、恶意篡改数据或添加虚假信息、格式化系统存储设备等，严重干扰企业正常生产经营。

Du noted that Taiwan's “Information, Communications and Electronic Force Command” exposed a lot of information on the sources of their attacks, making it not very difficult to trace back to them, providing a favorable condition for quickly identifying the attackers. 

Furthermore, he described the tactics of the “Information, Communications and Electronic Force Command” as despicable and underhanded – when they are unable to penetrate target systems or obtain valuable data from a network platform, they often resort to maliciously damaging the target systems by deleting system and user data, tampering with data or adding false information, and formatting system storage devices, severely disrupting normal operations of enterprises.

对此，360集团创始人周鸿祎表示，台湾“资通电军”网络攻击人员技术水平整体较低、攻击手法简单粗暴，也没有太多的掩饰和隐藏，属三流水平。安天集团创始人肖新光称，台湾“资通电军”网络攻击人员较多使用开源工具，极少出现使用“零日”漏洞的情况，一定程度上说明他们缺少自研工具的能力和相关技术储备。

Zhou Hongyi, founder and chairman of 360 Security Technology, said that the technical level of Taiwan's “Information, Communications and Electronic Force Command” personnel is generally low, and their attack methods are simple and crude, with little concealment or sophistication, indicating a third-rate level. 

Xiao Xinguang, the founder of leading anti-virus company Antiy Labs, commented that the cyberattack personnel from Taiwan mostly use open-source tools and rarely exploit zero-day vulnerabilities, suggesting that they lack the capability to develop their own tools and the necessary technical reserves.