Stay Updated Icon

Subscribe to Our Tech & Career Digest

Join thousands of readers getting the latest insights on tech trends, career tips, and exclusive updates delivered straight to their inbox.

China Accuses Taiwan of 'Feeble' US-Backed Cyberattacks, Dismissing APT Capabilities

3:36 AM   |   09 June 2025

China Accuses Taiwan of 'Feeble' US-Backed Cyberattacks, Dismissing APT Capabilities

China Accuses Taiwan of 'Feeble' US-Backed Cyberattacks, Dismissing APT Capabilities

In a significant development within the ongoing geopolitical and cyber rivalry in the Asia-Pacific region, China's National Computer Virus Emergency Response Center (CVERC) has published a detailed report leveling accusations against Taiwan. The report claims that Taiwan has been engaged in a years-long cyber offensive targeting mainland China, allegedly with the support and backing of the United States. However, the report doesn't portray these alleged attacks as sophisticated or highly effective; quite the contrary, it dismisses Taiwan's cyber capabilities as remarkably weak, likening their efforts to 'an ant trying to shake a tree'.

The report, titled “Operation Futile: Investigation report on Cyberattacks launched by ICEFCOM of Taiwan and its affiliated APT actors,” was released on Thursday by CVERC, in collaboration with the National Engineering Laboratory for Computer Virus Prevention Technology and the Chinese software vendor 360 Digital Security Group. This collaboration is notable, as these entities have previously co-authored reports making controversial claims, including the assertion that the United States orchestrated cyberattacks against itself as a false flag operation to discredit Beijing.

The Alleged Architects: Taiwan's ICEFCOM and the DPP

At the heart of China's accusation is Taiwan's Information, Communications and Electronic Force Command (ICEFCOM). According to the report, ICEFCOM was established in 2017 following the 2016 election in Taiwan, which saw the pro-independence Democratic Progressive Party (DPP) secure an outright majority. Beijing's narrative posits that the USA actively assisted the DPP in this election, thereby creating the political environment necessary for ICEFCOM's formation and subsequent alleged cyber activities. This framing aligns with China's long-standing view that Taiwan is an inalienable part of China and that any moves towards independence are instigated or supported by external forces, particularly the United States.

The report explicitly links ICEFCOM and the DPP to the operation of five specific advanced persistent threat (APT) groups. APTs are typically state-sponsored or state-aligned groups that conduct sophisticated, long-term cyber espionage or sabotage campaigns. The five groups named in the report are:

  • APT-C-01 (Poison Vine)
  • APT-C-62 (Viola Tricolor)
  • APT-C-64 (Anonymous 64)
  • APT-C-65 (Neon Pothos)
  • APT-C-67 (Ursa)

The report delves into the alleged activities and characteristics of each of these groups, though often with a dismissive tone regarding their effectiveness.

Profiling the 'Feeble' APTs: Alleged Activities and Tactics

According to the Chinese report, the five alleged Taiwanese APT groups employ various tactics, albeit described as unsophisticated. The report suggests a degree of overlap in the activities of APT-C-01 (Poison Vine) and APT-C-62 (Viola Tricolor). Both groups are accused of primarily using phishing campaigns to target government and scientific institutions in mainland China. Following successful phishing attempts, they allegedly deploy malware to gain access to systems and exfiltrate sensitive data. Phishing remains one of the most common initial access vectors for APTs globally, relying on social engineering to trick targets into revealing credentials or executing malicious code.

APT-C-64 (Anonymous 64) is claimed to have a longer history, with China alleging its activities date back to 2006. The report links some members of this group to efforts promoting Taiwanese independence since the 1980s, attempting to tie the cyber activities directly to the political goals of the DPP and the independence movement. This group is accused of attempting to infiltrate websites, digital signage, and television stations with the aim of displaying content deemed 'illegal' by Beijing. However, the report quickly undermines this claim by stating that these efforts are largely ineffective, often falling into 'honeypots' set up by Chinese defenders. Furthermore, the report alleges that members of APT-C-64 resort to fabricating evidence of successful attacks to report back to their superiors, painting a picture of incompetence and deceit.

APT-C-65 (Neon Pothos) is described as employing some tactics similar to APT-C-62 but with a specific focus on surveillance of critical infrastructure. The report claims this surveillance intensifies during periods of significant political engagement between US and Taiwanese officials, suggesting an intelligence-gathering motive tied to diplomatic and strategic interactions. Targeting critical infrastructure, even for surveillance, is a common objective for state-sponsored actors seeking to understand potential vulnerabilities or gather intelligence for future operations.

Finally, APT-C-67 (Ursa) is accused of targeting video surveillance devices. The report alleges that this group uses these devices as entry points to plant malware and gather 'geographic intelligence'. Compromising surveillance systems can provide valuable insights into physical locations, security measures, and personnel movements, which could be useful for espionage or planning physical operations.

The Basis for the 'Feeble' Assessment

A central theme of the Chinese report is the alleged low capability level of these Taiwanese APT groups. The authors provide several reasons for this assessment, painting a picture of adversaries lacking sophistication and resources:

  1. **Reliance on Known Vulnerabilities:** The report claims the groups 'mainly exploit known vulnerabilities' rather than possessing the ability to discover and leverage zero-day exploits. While exploiting known vulnerabilities is a common and effective tactic, a heavy reliance on them can indicate a less sophisticated adversary compared to groups capable of developing or acquiring zero-days.
  2. **Heavy Use of Public Resources:** The report highlights the groups' alleged 'heavy reliance on public resources', including free or open-source code, publicly available Trojans and tools, commercial penetration testing frameworks, and publicly documented cyber attack techniques. This suggests a lack of independent development of custom malware or sophisticated attack frameworks, which are hallmarks of highly advanced state-sponsored groups.
  3. **Weak Anti-Tracing Capabilities:** The report asserts that the groups' 'anti-tracing capabilities are weak'. It points to flaws in their operational security, particularly in the crafting of lure documents and phishing pages, which allegedly contain numerous errors or inconsistencies that make attribution relatively easy. Strong operational security and sophisticated anti-tracing techniques are crucial for APTs seeking to maintain anonymity and persistence.

Based on these perceived weaknesses, the report concludes with a highly dismissive statement: “The clumsy and low-level performance of the DPP authorities and their affiliate hacker groups is as ridiculous as an ant trying to shake a tree. It is meaningless except for embellishing their ‘Taiwan independence’ illusion. If they don't pull back in time, they'll reap the whirlwind.”

The Geopolitical Chessboard and Cyber Narratives

This report from China's CVERC must be viewed within the broader context of the intense geopolitical rivalry between Beijing, Taipei, and Washington. Cyber capabilities are a significant component of this rivalry, used for espionage, intelligence gathering, potential sabotage, and increasingly, for shaping narratives and conducting information warfare.

China views Taiwan as a renegade province that must be reunified with the mainland, by force if necessary. The United States maintains unofficial relations with Taiwan but is legally bound by the Taiwan Relations Act to provide the island with the means to defend itself, a policy often referred to as 'strategic ambiguity'. This dynamic creates a complex environment where cyber activities are intertwined with political posturing and military readiness.

Both China and Taiwan, as well as the United States, are known to possess significant cyber capabilities and have been accused by various cybersecurity firms and governments of engaging in state-sponsored hacking. Reports from cybersecurity researchers often detail sophisticated campaigns attributed to groups linked to China targeting entities in Taiwan, the US, and other countries. Similarly, reports have emerged detailing cyber activities potentially linked to Taiwan or other actors targeting China.

The Chinese report's characterization of Taiwanese APTs as 'feeble' serves multiple potential purposes. Domestically, it can reinforce the narrative of China's strength and resilience against perceived threats, portraying the efforts of adversaries as insignificant. Internationally, it could be intended to downplay Taiwan's capabilities and perhaps deter other nations from viewing Taiwan as a significant cyber player or partner. It also serves to reiterate the claim of US interference in Taiwanese affairs, a recurring theme in Beijing's messaging.

However, the report's dismissive tone and the authors' history of publishing reports with highly questionable claims (such as the US hacking itself) invite skepticism. Cybersecurity experts often caution that public reports from state-affiliated entities, particularly in politically charged contexts, should be analyzed critically, as they can serve propaganda purposes or be used to misattribute activities.

The claim that Taiwan's APTs rely heavily on known vulnerabilities and public tools, while presented as evidence of feebleness, doesn't necessarily mean they are ineffective. Many successful cyberattacks, including those attributed to state actors, leverage readily available tools and exploit known, but unpatched, vulnerabilities. The effectiveness of a cyber operation depends not only on the sophistication of the tools but also on the planning, targeting, and execution. Furthermore, attributing cyberattacks with certainty is notoriously difficult, and different cybersecurity firms and national agencies often arrive at different conclusions regarding the identity and capabilities of threat actors.

The Role of State-Sponsored Cybersecurity Reports

In the realm of international cyber relations, public reports from government or state-affiliated cybersecurity centers are not merely technical analyses; they are also political statements. They can be used to:

  • Attribute cyberattacks to specific adversaries, often for diplomatic or retaliatory purposes.
  • Expose the tactics, techniques, and procedures (TTPs) of perceived threats to help domestic entities defend themselves.
  • Shape public perception and international narratives about cyber capabilities and threats.
  • Justify increased cybersecurity spending or policy changes.
  • Engage in information warfare by spreading disinformation or discrediting adversaries.

Given the history of the co-authors of this report, particularly their previous claim that the US conducted false flag operations, the 'Operation Futile' report appears to lean heavily into the narrative-shaping aspect. By portraying Taiwan's alleged cyber efforts as laughably incompetent and entirely dependent on external (US) support, Beijing attempts to diminish Taiwan's agency and capability in the cyber domain, reinforcing its political stance.

The report's timing and release through official channels underscore the importance China places on controlling the narrative surrounding cyber activities involving Taiwan and the US. It serves as a counter-narrative to frequent reports from Western cybersecurity firms and governments that attribute sophisticated attacks against Western targets to Chinese state-sponsored groups.

Contextualizing APTs and Cyber Espionage

Advanced Persistent Threats (APTs) are characterized by their targeted nature, persistence, and often, their link to state or state-sponsored entities. Unlike cybercriminals primarily motivated by financial gain, APTs typically pursue objectives aligned with national interests, such as:

  • **Espionage:** Stealing sensitive political, economic, or military intelligence.
  • **Sabotage:** Disrupting critical infrastructure or government operations.
  • **Influence Operations:** Manipulating information or systems to achieve political goals.

The activities described in the Chinese report – phishing for data exfiltration, attempting to infiltrate media for propaganda, surveilling critical infrastructure, and gathering geographic intelligence – align with typical APT objectives, particularly espionage and influence operations. However, the report's assessment of their execution as 'feeble' stands in contrast to the general perception of state-sponsored cyber capabilities in the region.

Cybersecurity researchers often track and name APT groups based on their observed activities, tools, and infrastructure. These names (like 'Poison Vine', 'Viola Tricolor') are often assigned by security firms, and different firms may use different names for the same group or link seemingly disparate activities under one group name. The names used in the Chinese report (APT-C-01, APT-C-62, etc.) appear to be internal designations used by the report's authors.

The US Dimension

The report's explicit claim of US backing for Taiwan's alleged cyber operations adds another layer to the accusation. The US has publicly accused China of extensive state-sponsored cyber espionage and intellectual property theft. China, in turn, frequently accuses the US of hypocrisy and conducting its own pervasive cyber surveillance and attacks. The claim of US involvement in supporting Taiwanese APTs fits within Beijing's broader narrative of the US attempting to contain or undermine China's rise.

While the US provides defensive support to Taiwan, the nature and extent of any potential US assistance in offensive cyber capabilities, if any, is not publicly known. Accusations of this nature from state actors are often difficult to verify independently and are frequently part of a larger information warfare strategy.

The report's mention of the US influencing the 2016 Taiwanese election to facilitate ICEFCOM's creation is a political claim aimed at delegitimizing both the DPP government in Taiwan and US involvement in the region. It aligns with Beijing's narrative that the desire for independence in Taiwan is not a genuine expression of the will of the Taiwanese people but rather a result of external manipulation.

Conclusion: A Report as a Weapon

China's report accusing Taiwan of running 'feeble' US-backed APTs is less likely a purely technical analysis and more likely a strategic communication tool. It serves to dismiss the capabilities of a perceived adversary, reinforce domestic narratives of strength, and further Beijing's political agenda regarding Taiwan and the United States. While the report names specific alleged APT groups and describes their purported activities and weaknesses, the highly dismissive language and the authors' history suggest that the primary purpose is to shape perception rather than provide an objective assessment of the cyber threat landscape.

The reality of cyber conflict between China, Taiwan, and the US is undoubtedly complex, involving sophisticated actors on all sides. Public reports like 'Operation Futile' are valuable not necessarily for their unvarnished truth, but for what they reveal about the reporting entity's strategic priorities, narratives, and perception of the conflict. In this case, China is clearly attempting to portray Taiwan's cyber efforts as insignificant and externally manipulated, a narrative that resonates with its broader political goals in the region.

The report concludes with a veiled threat, warning Taiwan to 'pull back in time' or 'reap the whirlwind'. This reinforces the coercive aspect of Beijing's policy towards Taiwan, extending the pressure into the cyber domain and framing alleged cyberattacks from Taiwan as provocations that could have severe consequences.

Ultimately, while the technical details provided in the report may be subject to debate and verification by independent cybersecurity researchers, the political message is clear: China views alleged Taiwanese cyber activities as minor irritations, instigated by the US, and warns against their continuation.