Proactive Joint Defense and Surveillance
In June 2025, a total of 89,675 cybersecurity intelligence reports from government agencies were compiled, reflecting a decrease of 2,957 from the prior month. A granular analysis of identifiable threats revealed that intrusion attacks dominated, constituting 33% of incidents. These primarily involved unauthorized system access or the illicit acquisition of user privileges.
Information collection efforts trailed closely behind at 30%, with methods such as scanning, detection, and social engineering in play. Intrusion attempts accounted for 26%, emphasizing efforts to breach unauthorized hosts.
The distribution of intelligence volume over the past year is illustrated in Figure 1. Further scrutiny of joint defense data illuminated a concerning trend: hackers were found to exploit compromised email accounts from critical infrastructure personnel. These adversaries executed social engineering attacks directed at select manufacturing companies, crafting emails with the subject “Please Assist in Confirmation” and utilizing password-protected, malicious compressed files.
Their objective was to circumvent antivirus protections and entice recipients into opening harmful attachments, thereby exfiltrating sensitive data. The intelligence gathered has prompted actionable recommendations for government agencies regarding enhanced defensive measures and surveillance protocols.
Figure 1: Statistics of Cybersecurity Monitoring Intelligence in Joint Defense
Incident Reporting and Response
This month recorded 168 cybersecurity incident reports, an increase of 24 incidents from May, and a substantial year-over-year surge of 10.53%. Notably, successful attack scenarios during drills were primarily attributable to insecure configuration settings, while injection attacks and deficiencies in access control accounted for a staggering 66.67% of reported incidents. The analytical data regarding cybersecurity incident reports over the past year are depicted in Figure 2.
Figure 2: Statistics of Cybersecurity Incident Reports
Post-Incident Information Sharing
In recent developments, a government agency discovered that its public service phone line was being exploited for fraudulent calls by unidentified individuals. An investigation revealed that the affected phone was a Voice over IP (VoIP) device. Anomalies in call records indicated unauthorized external IP activity, suggesting that malicious external access to the VoIP gateway was responsible for the illicit dialing.
In response to this incident, account passwords for the device were promptly altered. After assessing the device’s future utility and associated security risks, the agency resolved to terminate its use to mitigate the possibility of recurrence.
Improper configurations concerning VoIP equipment—including the absence of adequate account/password protocols, firewalls, and monitoring systems—can render it susceptible to exploitation, resulting in significant financial losses and eroding public trust in governmental institutions. Recommendations for governmental organizations include:
- Ensure Adherence to the “Deny by Default, Allow by Exception” Principle
While remote access is often configured for maintenance purposes, it can inadvertently lead to lax management of access restrictions, exposing systems to brute-force attacks and exploitation of vulnerabilities.
Thus, the “deny by default, allow by exception” principle must govern system maintenance operations. (Regulations on Classification of Cyber Security Responsibility Levels – Schedule 10 – Defense standards of cyber systems – Access control). - Implementation of Strong Passwords, Regular Updates, and Removal of Default Credentials
Manufacturers frequently provide publicly accessible product manuals, which may inadvertently disclose default passwords.
Failure to modify these credentials makes systems vulnerable to malicious tampering. (Regulations on Classification of Cyber Security Responsibility Levels – Schedule 10 – Defense standards of cyber systems – Identification and authentication). - Conduct Regular Evaluations of Device Support for Firmware Updates and Security Patches; Integrate into Management Procedures and Avoid Deprecated or Unsupported Equipment
Post-release, devices may reveal security weaknesses necessitating patching.
End-of-life devices that do not receive security updates represent a significant cybersecurity liability. Organizations are advised to incorporate this evaluation into their management processes, assessing the necessity of device retirement. (Compliance: Regulations on Classification of Cyber Security Responsibility Levels – Schedule 10 – Defense standards of cyber systems – Integrity of Systems and Information)
Data Source: Administration for Cyber Security
Create Date: 2025-08-06
Update Date: 2025-08-06
Source link: Moda.gov.tw.
