4 Chinese APTs Attack Taiwan’s Semiconductor Industry

Chinese threat actors have turned to cyberattacks as a way to undermine and destabilize Taiwan’s most important industrial sector.

New Chinese threat actors have been trying to use phishing as a means of breaching Taiwan’s famed semiconductor industry.

Taiwan’s semiconductor industry is one of the most geopolitically significant on the planet. Far beyond just earning income, it is a unique and presently irreplaceable supply chain cog to various global technologies. That makes Taiwan’s prosperity — and by extension, the Chinese Communist Party’s (CCP) aims to take over the island — of critical importance to countries besides itself, most notably the US.

More than ever before, China is now using cyberattacks as a weapon to undermine Taiwan’s semiconductors and, by extension, Taiwan’s national defense. Proofpoint researchers have identified three as yet unclassified advanced persistent threats (APT) targeting its chip industry in only the past few months, in addition to a fourth spotted late last year.

“Some of them are a little bit more novice, but we do see them develop over time,” notes Proofpoint staff threat researcher Mark Kelly. Others, he says, have more specialized, custom capabilities.

Four Previously Undocumented APTs
In May and June, Taiwanese companies involved in semiconductor manufacturing, packaging, testing, and supply chain organizations received an email from a “graduate student.” Using a Taiwanese university email address, the student was reaching out to recruitment and human resources (HR) personnel to ask for a job.

The emails contained either a PDF or a password-protected archive. Early on, the files concealed Cobalt Strike, then graduated to carry the Voldemort backdoor. Voldemort is a custom tool characterized by its odd way of using Google Sheets for command and control (C2). Though in the past it has only been used by APT41 (aka TA415, Double Dragon, Brass Typhoon), Proofpoint tracks this latest threat cluster as distinct from APT41, temporarily referring to it as “UNK_FistBump.”

While UNK_FistBump was playing the role of grad student, in April and May, a threat actor referred to as “UNK_DropPitch” was masquerading as an imaginary investment firm. These attacks — which dropped a simple, custom backdoor called “HealthKick” — were aimed not at semiconductor companies themselves but at large investment banks.

The motive behind the emails wasn’t financial. Instead, they targeted individuals involved in investment analysis for the semiconductor and broader technology sectors. Kelly hypothesizes, “It’s possible they’re interested in newly emerging information around this market — what particular companies are doing, if they have particularly interesting or new product lines, or new kinds of businesses that may change the landscape of competition within the global semiconductor supply chain.”

Before either FistBump or DropPitch, in March, “UNK_SparkyCarp” was sending out emails masked as Microsoft account login security notices. It was the second time they’d targeted Taiwan’s semiconductor industry, after a previous run in November 2024.

Additionally, in October 2024, a fourth threat group called “UNK_ColtCentury” was sending cold emails to legal personnel at Taiwanese semiconductor organizations. Proofpoint estimates that those emails would have led to SparkRAT backdoor infections.

Semiconductor Attacks Rev Up
It’s generally believed that Chinese APTs have been targeting Taiwan’s semiconductor industry for some time now. But actual evidence has been lacking. For years, Kelly had only seen it sporadically, “over the past five years, maybe kind of once or twice a year. Even then, we might see maybe one organization targeted.”

In comparison, he says, “the volume has been a lot higher this year, for sure.”

Exactly what might have precipitated this shift is unclear, but plenty has been happening in the industry lately that might have sparked extra interest. Earlier this year, the Trump administration was considering tariffs on foreign semiconductors. Meanwhile, Taiwan’s government has been taking steps to limit its business ties with China and investigating Chinese tech companies for allegedly illegally poaching employees of Taiwanese companies.

“It’s definitely interesting to us to see the increase [in cyberattacks] that we have seen,” Kelly says. “But I don’t think we have a clear-cut answer as to why now.”