Taiwan suggests China’s Winnti group is behind ransomware attack on state oil company

An attempt to extort CPC, which is responsible for delivering oil products throughout Taiwan, would be a brazen move.
CPC ransomware
A CPC gas station in Taiwan. The station's parent company was hit with ransomware. (Wikimedia Commons/Solomon 203)

Taiwanese authorities have suggested that Chinese hackers were behind a ransomware attack against Taiwan’s state oil company, an aggressive assault on one of the island nation’s strategic assets.

Data left behind in the attack, such as a configuration file and domain name, point to the involvement of a group known as Winnti, or something “closely related” to it, Taiwan’s Ministry of Justice said in a statement Friday. Winnti is a broad collection of hackers that cybersecurity researchers have linked with the Chinese government.

Cybersecurity analysts say Beijing’s hackers have long conducted operations against Taiwanese targets to gather intelligence. But an attempt to extort Taiwanese company CPC Corp., which is responsible for delivering oil products throughout Taiwan, would be a much more brazen move. Although the attack didn’t affect the CPC’s energy production, it did disrupt some customers’ efforts to use CPC Corp.’s payment cards to purchase gas.

CyberScoop could not independently confirm that Winnti was involved in the attack. The Chinese Embassy in Washington, D.C., did not immediately respond to a request for comment on the allegation.


The ransomware attack forced CPC to rebuild some of its infrastructure and is part of a spate of recent cyberthreats facing Taiwan.

Multiple “important domestic energy and technology companies” in Taiwan had been hobbled by ransomware in recent weeks, the Ministry of Justice said. It did not explicitly name CPC as a victim. Local media, however, reported the statement referred to CPC and other victims.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts