CEA
All cases

Taiwan Telecommunications Intrusions

2022 – 2023 (disclosed 2023)

EspionagePeak: IntrusionAttribution: Moderate ConfidenceTelecommunicationsCritical Infrastructure
Year
2023
Actor country
China (assessed)
Target regions
Taiwan
Unpeace score
6

Executive Summary

Sustained intrusions into Taiwanese telecommunications providers attributed to China-linked threat groups, part of a broader pattern of pre-positioning in critical infrastructure. The campaigns, overlapping with activity Microsoft tracks as Volt Typhoon and Flax Typhoon, focused on persistent access rather than immediate disruption, raising concerns about preparation for contingency operations.

Why This Matters

These intrusions highlight the emerging norm challenge of peacetime pre-positioning: states embedding access in adversary infrastructure for potential future use, blurring the line between espionage and preparation for attack.

Escalation Profile

7-Dimension Profile

Escalation Ladder

Probing
Intrusion
Disruption
Degradation
Destruction
Strategic

Phases

2022
Intrusion

Persistent access to telecom infrastructure

China-linked actors established long-term access in Taiwanese ISPs and telecom providers using living-off-the-land techniques to avoid detection.

2023
Probing

Pre-positioning for contingency

Activity consistent with infrastructure mapping and access maintenance rather than data exfiltration, assessed as preparation for potential future disruption.

Threshold Crossings

  • Pre-positioning in telecom infrastructure of a potential military contingency target
  • Part of a broader pattern including US critical infrastructure (Volt Typhoon)

Restraint Factors

  • No disruptive or destructive actions observed
  • Activity consistent with intelligence preparation rather than immediate attack

Attribution Assessment

Moderate ConfidenceAttributed by researchers and the US government to China-linked groups; Taiwan's government has acknowledged the threat without detailed public attribution
China (assessed)
Volt TyphoonFlax Typhoon
1. Technical

Threat actor mapped to China (assessed) based on infrastructure analysis, malware attribution, and operational patterns.

Evidence: Microsoft: Volt Typhoon Targets US Critical Infrastructure

2. Political / Legal
Public Attribution
  • US CISA, NSA, and FBI joint advisory on Volt Typhoon (May 2023)
  • Five Eyes joint advisory on living-off-the-land threats to critical infrastructure
  • Taiwan strengthened telecom cybersecurity regulations

Sources: CISA/NSA/FBI Advisory AA23-144A: PRC State-Sponsored Cyber Actor Living off the Land

3. Open Source

No dedicated journalistic sources in dataset. See sources section for full references.

Moderate Confidence” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.

Unpeace Position

6

Unpeace Score

Composite severity rating on the peace–conflict spectrum

Stable
Contested
Escalatory
03060100

Contributing Dimensions

Escalation peak2/6
Threshold crossings2/4
Governance flags3/8
Sectors affected2/6
Entanglement4/10
Country scope1/6

Coercive Function

Espionage

Intelligence collection, coercive value lies in the information advantage gained and the implicit signal that the adversary can access sensitive systems.

Observed coercive effects

  • Pre-positioning in telecom infrastructure of a potential military contingency target
  • Part of a broader pattern including US critical infrastructure (Volt Typhoon)

Entanglement Risk

Entanglement score4

Sectors affected

TelecommunicationsCritical Infrastructure

Countries / regions

Taiwan

Impact summary

Persistent access to telecom networks; no disruption observed, but pre-positioning raises contingency concerns.

Infrastructure Meaning

Capability profile

Persistent access to telecom networks; no disruption observed, but pre-positioning raises contingency concerns.

3 ATT&CK techniques mapped — see ATT&CK mapping below.

Governance Analysis

Governance Flags

!Norm Violation
APublic Attribution
SSanctions Imposed
IIndictment
UUN Discussion
RRegulatory Change
CInternational Cooperation
DDeterrence Signal

Norms invoked

  • Responsible state behavior in ICT use (UN OEWG)
  • Pre-positioning in critical infrastructure as a potentially destabilizing activity

Policy responses

  • US CISA, NSA, and FBI joint advisory on Volt Typhoon (May 2023)
  • Five Eyes joint advisory on living-off-the-land threats to critical infrastructure
  • Taiwan strengthened telecom cybersecurity regulations

Regulatory changes

  • Taiwan amended telecommunications management regulations to include cybersecurity requirements
  • US critical infrastructure pre-positioning elevated as a strategic intelligence priority

Governance impact assessment

Crystallized the policy debate about whether pre-positioning in critical infrastructure during peacetime constitutes a violation of international norms, a question with no consensus answer.

Sources

G

CISA/NSA/FBI Advisory AA23-144A: PRC State-Sponsored Cyber Actor Living off the Land

Government2023-05-24
V

Microsoft: Volt Typhoon Targets US Critical Infrastructure

Vendor Report2023-05-24

Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.

Related Cases

Volt Typhoon

2023 – 2024 (disclosed 2024) · China

6

Volt Typhoon represents the clearest case of peacetime pre-positioning in adversary critical infrastructure, forcing an urgent policy reckoning on whether such activity constitutes a threat of force and how states should respond to it below the threshold of armed conflict.

EspionageIntrusion

Belgacom

circa 2010 – disclosed September 2013 · United Kingdom

5

Belgacom is the strongest case in the dataset for the proposition that consequence in cyber conflict is determined by political relationship rather than by technical certainty. The forensic and documentary evidence base was as strong as in most cases coded 'confirmed'; the consequence was zero. Holding Belgacom alongside Salt Typhoon, a structurally similar telecom-backbone operation attributed to an adversary that drew OFAC sanctions, isolates the political variable.

EspionageIntrusion

Salt Typhoon

Access established earlier; disclosed September–December 2024 (note: investigation and disclosures ongoing as of May 2025) · China

8

Salt Typhoon is the temporal pivot of the matched-pair argument. It is structurally similar to Belgacom (a foreign state compromising another state's telecommunications backbone) but draws a sharply higher consequence, OFAC sanctions on a named contractor, because the perpetrator is positioned outside the Western attributing coalition. Read alongside Belgacom and OPM, it shows the consequence axis tracking political relationship rather than technical facts; read alongside Volt Typhoon, it shows that the relationship can move within a short time horizon (sanctions arrived for Salt Typhoon faster than for the parallel Volt Typhoon campaign).

EspionageIntrusion

APT1

2006 – disclosed February 2013; indictment May 2014 · China

7

APT1 is the foundational test case for indictment-as-signal in cyber statecraft. It demonstrates that the United States is willing to publicly name uniformed foreign military personnel, but that this willingness does not, on its own, translate into sanctions or any other coercive consequence. Read alongside Sandworm (indictment plus sanctions) and Salt Typhoon (sanctions on PRC contractor), it shows that the indictment-to-sanctions step is a discretionary political choice, not an automatic escalation.

EspionageIntrusion