Taiwan Telecommunications Intrusions
2022 – 2023 (disclosed 2023)
Executive Summary
Sustained intrusions into Taiwanese telecommunications providers attributed to China-linked threat groups, part of a broader pattern of pre-positioning in critical infrastructure. The campaigns, overlapping with activity Microsoft tracks as Volt Typhoon and Flax Typhoon, focused on persistent access rather than immediate disruption, raising concerns about preparation for contingency operations.
Why This Matters
These intrusions highlight the emerging norm challenge of peacetime pre-positioning: states embedding access in adversary infrastructure for potential future use, blurring the line between espionage and preparation for attack.
Escalation Profile
7-Dimension Profile
Escalation Ladder
Phases
Persistent access to telecom infrastructure
China-linked actors established long-term access in Taiwanese ISPs and telecom providers using living-off-the-land techniques to avoid detection.
Pre-positioning for contingency
Activity consistent with infrastructure mapping and access maintenance rather than data exfiltration — assessed as preparation for potential future disruption.
Threshold Crossings
- •Pre-positioning in telecom infrastructure of a potential military contingency target
- •Part of a broader pattern including US critical infrastructure (Volt Typhoon)
Restraint Factors
- •No disruptive or destructive actions observed
- •Activity consistent with intelligence preparation rather than immediate attack
Attribution Assessment
Threat actor mapped to China (assessed) based on infrastructure analysis, malware attribution, and operational patterns.
Evidence: Microsoft: Volt Typhoon Targets US Critical Infrastructure
- •US CISA, NSA, and FBI joint advisory on Volt Typhoon (May 2023)
- •Five Eyes joint advisory on living-off-the-land threats to critical infrastructure
- •Taiwan strengthened telecom cybersecurity regulations
Sources: CISA/NSA/FBI Advisory AA23-144A: PRC State-Sponsored Cyber Actor Living off the Land
No dedicated journalistic sources in dataset. See sources section for full references.
“Moderate Confidence” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.
Unpeace Position
Unpeace Score
Composite severity rating on the peace–conflict spectrum
Contributing Dimensions
Coercive Function
Espionage
Intelligence collection — coercive value lies in the information advantage gained and the implicit signal that the adversary can access sensitive systems.
Observed coercive effects
- •Pre-positioning in telecom infrastructure of a potential military contingency target
- •Part of a broader pattern including US critical infrastructure (Volt Typhoon)
Entanglement Risk
Sectors affected
Countries / regions
Impact summary
Persistent access to telecom networks; no disruption observed, but pre-positioning raises contingency concerns.
Infrastructure Meaning
Capability profile
Persistent access to telecom networks; no disruption observed, but pre-positioning raises contingency concerns.
3 ATT&CK techniques mapped — see ATT&CK mapping below.
Governance Analysis
Governance Flags
Norms invoked
- •Responsible state behavior in ICT use (UN OEWG)
- •Pre-positioning in critical infrastructure as a potentially destabilizing activity
Policy responses
- •US CISA, NSA, and FBI joint advisory on Volt Typhoon (May 2023)
- •Five Eyes joint advisory on living-off-the-land threats to critical infrastructure
- •Taiwan strengthened telecom cybersecurity regulations
Regulatory changes
- •Taiwan amended telecommunications management regulations to include cybersecurity requirements
- •US critical infrastructure pre-positioning elevated as a strategic intelligence priority
Governance impact assessment
Crystallized the policy debate about whether pre-positioning in critical infrastructure during peacetime constitutes a violation of international norms — a question with no consensus answer.
Sources
CISA/NSA/FBI Advisory AA23-144A: PRC State-Sponsored Cyber Actor Living off the Land
Microsoft: Volt Typhoon Targets US Critical Infrastructure
Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.
Related Cases
Volt Typhoon
2023 – 2024 (disclosed 2024) · China
Volt Typhoon represents the clearest case of peacetime pre-positioning in adversary critical infrastructure, forcing an urgent policy reckoning on whether such activity constitutes a threat of force and how states should respond to it below the threshold of armed conflict.
Australia Parliament
January – February 2019 · Unknown (officially); China (widely assessed)
The compromise of a parliament and major parties during an election cycle demonstrated that cyber espionage against democratic institutions is a live risk, even when the collected intelligence is never publicly weaponized.
Midnight Blizzard
November 2023 – January 2024 (disclosed January 2024) · Russia
Midnight Blizzard showed that state actors will target the internal systems of foundational technology platforms, not just their customers, raising existential questions about supply chain trust and platform security accountability.
India–Pakistan Cyber
2016 – 2019 (multiple incidents) · India / Pakistan (reciprocal)
India-Pakistan cyber operations represent the most documented case of sustained reciprocal cyber espionage between regional nuclear-armed adversaries, demonstrating that cyber conflict dynamics extend well beyond the US-Russia-China axis.