Cyber Incident Victim: CPC Corporation

On May 4, 2020, Taiwan’s state-owned oil company CPC Corporation sustained a ransomware attack that disrupted operations. Taiwanese authorities attributed the attack to the Winnti hacking group or a closely related entity, citing forensic evidence including configuration files and domain names left behind by the attackers. The Ministry of Justice publicly disclosed this assessment in an official statement, linking Winnti to Chinese state-sponsored cyber operations. While the ransomware did not compromise CPC’s core energy production capabilities, it significantly impacted customer-facing systems. Specifically, the attack prevented customers from using CPC payment cards to purchase gasoline, indicating disruption to retail transaction processing infrastructure. CPC initiated recovery efforts that required rebuilding portions of its compromised IT environment.

The incident occurred amid a broader ransomware campaign targeting Taiwan’s critical infrastructure sectors. The Ministry of Justice noted multiple “important domestic energy and technology companies” had been affected by similar attacks in recent weeks, though it did not explicitly name additional victims beyond CPC. Local media reports interpreted the ministry’s statement as confirming CPC’s involvement alongside other unnamed organizations. The attack highlighted operational risks to Taiwan’s strategic assets, with reconstruction of compromised systems representing a primary organizational response. No ransomware variant or specific financial demands were disclosed in available reporting. The Chinese government did not publicly respond to Taiwan’s allegations of Winnti’s involvement.