Taiwan Says Hackers Attacked President Tsai Ing-wen’s Office

The office of Taiwanese President Tsai Ing-wen announced on Monday that information security services are investigating a suspected cyberattack.

The hackers apparently stole some files from the presidential office and leaked them to the media after they were “doctored” to create political embarrassment for the president. The incident comes as relations between Taiwan and Communist China, which is notorious for its aggressive cyber espionage, are growing steadily worse amid political fallout from the Wuhan coronavirus epidemic.

The South China Morning Post (SCMP) reported that a series of four emails were sent from an account called “tsailoser” to local media outlets, containing a set of 11 files that “claimed to detail the infighting and power struggles between Tsai and her confidants.”

The SCMP described the contents of the leaked files as “minutes from a meeting to discuss cabinet appointments, details of a potential power play between Tsai and Premier Su Tseng-chang and the strategy adopted by Tsai to defeat former premier William Lai during the Democratic Progressive Party’s presidential primaries last year.”

One of the files is reportedly a detailed political assessment of Tsai’s opponent in the DPP primary last year, William Lai. Detailed assessments of politicians are rarely flattering, and an unflattering profile of Lai could cause trouble in the second Tsai administration because he ended up as her running mate and is now vice president.

“We have already reported the case to the Criminal Investigation Bureau,” presidential spokesman Alex Huang said. 

Members of Tsai’s Democratic Progressive Party (DPP) accused Beijing of masterminding the attack with an eye toward disrupting Tsai’s formal inauguration into her second term, which she won by a landslide in January.

“Cyberattacks are a kind of information war and President Tsai must demand that the information security department steps up efforts to prevent hackers from hacking into the government system and fabricating information to affect our national security,” said DPP lawmaker Hsu Chih-chieh, who joined several other legislators in wondering how the hackers gained access to the heavily-protected presidential computer system and speculating that it might have been an inside job.

Wu Sz-huai, a legislator from the Beijing-friendly Kuomintang opposition party, on Tuesday argued that the leak was more likely the work of a disgruntled presidential employee than Chinese state hackers. 

Wu’s defense of China, as summarized by Taiwan News, simultaneously claimed the Communist country would not use cyber-espionage to advance a political narrative and advanced precisely the political narrative the hackers intended, namely that Tsai’s office and party are riven by power struggles and use dirty tricks to defeat their opponents:

Wu said that the leaked documents sent to the media likely pointed to a power struggle among the ruling Democratic Progressive Party’s factions, given the leak’s discussions about how to deter President Tsai Ing-wen’s rival William Lai in the 2019 party primary and matters related to personnel decisions in the new term, instead of the defense and diplomatic intelligence preferred by Chinese hackers.

Also, Chinese or other state hackers would never wish to draw attention to their intrusions, as they would aim to leave the door open for continued re-entry.

He also pointed out that the office building’s intranet has been disconnected from the internet for years, adding that there are defenses which protect information from cyberattacks. Wu considered the leak more likely to have been committed by people with access to the intranet, who disagree with the power plays and new appointments, and wish to expose a crisis in Tsai’s government.

Chinese state hackers do have a preference for stealing valuable intellectual property and military secrets, but they hardly confine their efforts to such targets exclusively, and while all skilled hackers prefer to linger undetected in compromised systems for as long as possible, they do not always wait until they have been spotted by security forces before selling or utilizing stolen data. In this case, the rapid deterioration of already poor relations between Taiwan and China after Tsai’s re-election and the coronavirus pandemic could have inspired Beijing to make quick use of pilfered documents to weaken the Taiwanese president.

The Kuomintang party announced on Tuesday that its representatives will refuse to approve DPP nominees for the second Tsai administration until the hacking incident has been investigated to their satisfaction. Kuomintang representatives said the documents leaked in the hack, if genuine, exposed an “appalling” degree of presidential infringement upon independent agencies, and suggested the “hack” might actually have been a deliberate leak staged by members of Tsai’s own party who are jockeying for power in the new administration.

Taiwan News pointed out that some of the leaked documents pertain to Tsai’s reshuffling of her cabinet for her second term, appearing to show “Tsai favors certain candidates in her camp and hints at a possible power play between herself and Premier Su Tseng-chang, who will retain his post during Tsai’s second term.” Such rumors of intrigue would only be effective at damaging Tsai if leaked very quickly, while the cabinet changes are a big story in Taiwan.

Enoch Wu, a former member of Taiwan’s National Security Council, said on Sunday that Taiwanese government systems have been breached by hackers far more often than the public realizes. Wu attributed the government’s weak cyber defenses to over-reliance on third party security consultants and poor security practices by government officials, including a tendency to copy secure documents onto insecure personal devices so they can work outside of their offices.

“Every time a data breach occurs, each agency seeks external help to ‘clean up’ office desktops and network servers and that’s the end, while it needs to be addressed properly to avoid the attacks from happening again and again,” he said.