Taiwan's Administration for Cybersecurity Details 2025 Incident Landscape, Highlighting Intrusion and Supply Chain Threats

Executive Summary

The government of Taiwan has published its annual cybersecurity incident report, revealing that its agencies handled 726 security incidents in the past year. This represents a slight decrease from the 755 incidents reported in the prior year. According to data from Taiwan's Administration for Cybersecurity, the vast majority of these events (87.33%) were classified as level 1 (least severe), with no top-level (level 4) incidents occurring. The report provides a valuable snapshot of the threat landscape facing a major government, with unauthorized intrusions being the dominant attack type and emerging threats like supply chain compromise and driver-based attacks being key areas of concern.

Incident Breakdown

The 726 incidents were categorized by type, providing insight into the most common challenges faced by Taiwanese government agencies:

• Unauthorized Intrusions: 68.6% of all incidents. This broad category likely includes everything from malware infections to unauthorized account access.
• Equipment Malfunctions: 15.43%. While not always malicious, these events can have security implications and require investigation.
• Service Disruptions: 4.96%. This could include Denial of Service (DoS) attacks or other events causing service unavailability.
• Web Page Attacks: 2.48%. This category likely covers web defacements, cross-site scripting, and other web-based attacks.

The incidents were also rated by severity, with the breakdown as follows:

• Level 1: 87.33%
• Level 2: 9.78%
• Level 3: 2.89%
• Level 4: 0%

Major Identified Threats

Beyond the statistics, the Administration for Cybersecurity highlighted several key strategic threats that government agencies are facing. This analysis provides a forward-looking view of the attack vectors that are of greatest concern:

1. Supply Chain Risk: The potential for newly acquired computers and hardware to contain pre-installed backdoors (T1195.002 - Compromise Software Supply Chain). This is a significant concern for government procurement.

2. 'Bring-Your-Own-Driver' (BYOD) Attacks: Attackers using legitimate, but vulnerable, drivers to execute malicious code in the kernel. This technique, known as T1068 - Exploitation for Privilege Escalation, can be used to disable security software from a privileged position.

3. Third-Party Risk: Vulnerabilities in remote access software installed by contractors and third-party vendors, creating a weak point for initial access (T1199 - Trusted Relationship).

4. Edge Device Vulnerabilities: An increasing focus by attackers on exploiting flaws in network edge devices like VPNs, firewalls, and routers (T1190 - Exploit Public-Facing Application).

Impact Assessment

While the majority of incidents were low-level, the sheer volume of 726 reported events indicates a persistent and high level of threat activity directed at the Taiwanese government. The identified strategic threats are particularly concerning. A successful supply chain attack could lead to widespread, persistent espionage. BYOD attacks can neutralize endpoint defenses, rendering them useless. The compromise of edge devices or third-party remote access tools can provide attackers with a direct and often stealthy path into sensitive government networks. This report underscores the complex and multi-faceted nature of defending government infrastructure against sophisticated adversaries.

Mitigation Guidance

Based on the threats identified by Taiwan's government, the following mitigations are crucial:

1. Secure Procurement and Supply Chain Management: Implement stringent security vetting for all hardware and software procurement. This includes requiring vendors to provide a Software Bill of Materials (SBOM) and conducting independent security testing on new equipment before deployment. This aligns with M1016 - Vulnerability Scanning.

2. Endpoint Hardening and Application Control: Use application control to prevent the loading of unauthorized or vulnerable drivers. Enable virtualization-based security (VBS) and Hypervisor-Protected Code Integrity (HVCI) where possible to protect the kernel.

3. Third-Party Access Control: Enforce strict controls over remote access provided to contractors. This includes using multi-factor authentication, implementing just-in-time access, and logging all remote sessions.

4. Attack Surface Management: Continuously scan and patch internet-facing edge devices. Prioritize vulnerabilities in VPNs and firewalls, as these are prime targets for initial access.